Code cleanup.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8198 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2011-12-13 19:56:33 +00:00
parent e1f885feda
commit cd0113a287
1 changed files with 6 additions and 7 deletions

View File

@ -260,7 +260,6 @@ class Issue < ActiveRecord::Base
safe_attributes 'tracker_id', safe_attributes 'tracker_id',
'status_id', 'status_id',
'parent_issue_id',
'category_id', 'category_id',
'assigned_to_id', 'assigned_to_id',
'priority_id', 'priority_id',
@ -291,6 +290,10 @@ class Issue < ActiveRecord::Base
(issue.author == user && user.allowed_to?(:set_own_issues_private, issue.project)) (issue.author == user && user.allowed_to?(:set_own_issues_private, issue.project))
} }
safe_attributes 'parent_issue_id',
:if => lambda {|issue, user| (issue.new_record? || user.allowed_to?(:edit_issues, issue.project)) &&
user.allowed_to?(:manage_subtasks, issue.project)}
# Safely sets attributes # Safely sets attributes
# Should be called from controllers instead of #attributes= # Should be called from controllers instead of #attributes=
# attr_accessible is too rough because we still want things like # attr_accessible is too rough because we still want things like
@ -318,13 +321,9 @@ class Issue < ActiveRecord::Base
attrs.reject! {|k,v| %w(priority_id done_ratio start_date due_date estimated_hours).include?(k)} attrs.reject! {|k,v| %w(priority_id done_ratio start_date due_date estimated_hours).include?(k)}
end end
if attrs.has_key?('parent_issue_id') if attrs['parent_issue_id'].present?
if !user.allowed_to?(:manage_subtasks, project)
attrs.delete('parent_issue_id')
elsif !attrs['parent_issue_id'].blank?
attrs.delete('parent_issue_id') unless Issue.visible(user).exists?(attrs['parent_issue_id'].to_i) attrs.delete('parent_issue_id') unless Issue.visible(user).exists?(attrs['parent_issue_id'].to_i)
end end
end
# mass-assignment security bypass # mass-assignment security bypass
self.send :attributes=, attrs, false self.send :attributes=, attrs, false