Use safe_attributes in GroupsController.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@9746 e93f8b46-1217-0410-a6f0-8f06a7374b81
2012-06-01 19:06:16 +00:00 · 2012-06-01 19:06:16 +00:00 · 9f531a4380
parent 733fef458c
commit 9f531a4380
2 changed files with 11 additions and 2 deletions
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@ -63,7 +63,8 @@ class GroupsController < ApplicationController
  # POST /groups
  # POST /groups.xml
  def create
-    @group = Group.new(params[:group])
+    @group = Group.new
+    @group.safe_attributes = params[:group]

    respond_to do |format|
      if @group.save
@ -83,9 +84,10 @@ class GroupsController < ApplicationController
  # PUT /groups/1.xml
  def update
    @group = Group.find(params[:id])
+    @group.safe_attributes = params[:group]

    respond_to do |format|
-      if @group.update_attributes(params[:group])
+      if @group.save
        flash[:notice] = l(:notice_successful_update)
        format.html { redirect_to(groups_path) }
        format.xml  { head :ok }
--- a/app/models/group.rb
+++ b/app/models/group.rb
@ -16,6 +16,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

 class Group < Principal
+  include Redmine::SafeAttributes
+
  has_and_belongs_to_many :users, :after_add => :user_added,
                                  :after_remove => :user_removed

@ -27,6 +29,11 @@ class Group < Principal

  before_destroy :remove_references_before_destroy

+  safe_attributes 'name',
+    'custom_field_values',
+    'custom_fields',
+    :if => lambda {|group, user| user.admin?}
+
  def to_s
    lastname.to_s
  end