Prevent mass-assignment vulnerability when adding/updating a wiki (#922).
This commit is contained in:
parent
fc5dfd5813
commit
275163ead2
|
@ -19,7 +19,7 @@ class WikisController < ApplicationController
|
|||
# Create or update a project's wiki
|
||||
def edit
|
||||
@wiki = @project.wiki || Wiki.new(:project => @project)
|
||||
@wiki.attributes = params[:wiki]
|
||||
@wiki.safe_attributes = params[:wiki]
|
||||
@wiki.save if request.post?
|
||||
render(:update) {|page| page.replace_html "tab-content-wiki", :partial => 'projects/settings/wiki'}
|
||||
end
|
||||
|
|
|
@ -13,6 +13,7 @@
|
|||
#++
|
||||
|
||||
class Wiki < ActiveRecord::Base
|
||||
include Redmine::SafeAttributes
|
||||
belongs_to :project
|
||||
has_many :pages, :class_name => 'WikiPage', :dependent => :destroy, :order => 'title'
|
||||
has_many :redirects, :class_name => 'WikiRedirect', :dependent => :delete_all
|
||||
|
@ -22,6 +23,8 @@ class Wiki < ActiveRecord::Base
|
|||
validates_presence_of :start_page
|
||||
validates_format_of :start_page, :with => /^[^,\.\/\?\;\|\:]*$/
|
||||
|
||||
safe_attributes 'start_page'
|
||||
|
||||
def visible?(user=User.current)
|
||||
!user.nil? && user.allowed_to?(:view_wiki_pages, project)
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue