Use safe_attributes for issue watchers assignment.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8197 e93f8b46-1217-0410-a6f0-8f06a7374b81
2011-12-13 19:50:44 +00:00 · 2011-12-13 19:50:44 +00:00 · e1f885feda
parent 4c469f9646
commit e1f885feda
2 changed files with 7 additions and 7 deletions
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@ -312,12 +312,8 @@ private
      return false
    end
    @issue.start_date ||= Date.today if Setting.default_issue_start_date_to_creation_date?
-    if params[:issue].is_a?(Hash)
-      @issue.safe_attributes = params[:issue]
-      if User.current.allowed_to?(:add_issue_watchers, @project) && @issue.new_record?
-        @issue.watcher_user_ids = params[:issue]['watcher_user_ids']
-      end
-    end
+    @issue.safe_attributes = params[:issue]
+
    @priorities = IssuePriority.active
    @allowed_statuses = @issue.new_statuses_allowed_to(User.current, true)
  end
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@ -282,6 +282,9 @@ class Issue < ActiveRecord::Base
    'done_ratio',
    :if => lambda {|issue, user| issue.new_statuses_allowed_to(user).any? }

+  safe_attributes 'watcher_user_ids',
+    :if => lambda {|issue, user| issue.new_record? && user.allowed_to?(:add_issue_watchers, issue.project)} 
+
  safe_attributes 'is_private',
    :if => lambda {|issue, user|
      user.allowed_to?(:set_issues_private, issue.project) ||
@ -323,7 +326,8 @@ class Issue < ActiveRecord::Base
      end
    end

-    self.attributes = attrs
+    # mass-assignment security bypass
+    self.send :attributes=, attrs, false
  end

  def done_ratio