Use safe_attributes for issue watchers assignment.
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8197 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
parent
4c469f9646
commit
e1f885feda
|
@ -312,12 +312,8 @@ private
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
@issue.start_date ||= Date.today if Setting.default_issue_start_date_to_creation_date?
|
@issue.start_date ||= Date.today if Setting.default_issue_start_date_to_creation_date?
|
||||||
if params[:issue].is_a?(Hash)
|
|
||||||
@issue.safe_attributes = params[:issue]
|
@issue.safe_attributes = params[:issue]
|
||||||
if User.current.allowed_to?(:add_issue_watchers, @project) && @issue.new_record?
|
|
||||||
@issue.watcher_user_ids = params[:issue]['watcher_user_ids']
|
|
||||||
end
|
|
||||||
end
|
|
||||||
@priorities = IssuePriority.active
|
@priorities = IssuePriority.active
|
||||||
@allowed_statuses = @issue.new_statuses_allowed_to(User.current, true)
|
@allowed_statuses = @issue.new_statuses_allowed_to(User.current, true)
|
||||||
end
|
end
|
||||||
|
|
|
@ -282,6 +282,9 @@ class Issue < ActiveRecord::Base
|
||||||
'done_ratio',
|
'done_ratio',
|
||||||
:if => lambda {|issue, user| issue.new_statuses_allowed_to(user).any? }
|
:if => lambda {|issue, user| issue.new_statuses_allowed_to(user).any? }
|
||||||
|
|
||||||
|
safe_attributes 'watcher_user_ids',
|
||||||
|
:if => lambda {|issue, user| issue.new_record? && user.allowed_to?(:add_issue_watchers, issue.project)}
|
||||||
|
|
||||||
safe_attributes 'is_private',
|
safe_attributes 'is_private',
|
||||||
:if => lambda {|issue, user|
|
:if => lambda {|issue, user|
|
||||||
user.allowed_to?(:set_issues_private, issue.project) ||
|
user.allowed_to?(:set_issues_private, issue.project) ||
|
||||||
|
@ -323,7 +326,8 @@ class Issue < ActiveRecord::Base
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
self.attributes = attrs
|
# mass-assignment security bypass
|
||||||
|
self.send :attributes=, attrs, false
|
||||||
end
|
end
|
||||||
|
|
||||||
def done_ratio
|
def done_ratio
|
||||||
|
|
Loading…
Reference in New Issue