Prevent mass-assignment vulnerability when adding a news comment (#922).

app/controllers/comments_controller.rb

@@ -21,7 +21,10 @@ class CommentsController < ApplicationController
 
   verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
   def create
-    @comment = Comment.new(params[:comment])
+    raise Unauthorized unless @news.commentable?
+
+    @comment = Comment.new
+    @comment.safe_attributes = params[:comment]
     @comment.author = User.current
     if @news.comments << @comment
       flash[:notice] = l(:label_comment_added)

app/models/comment.rb

@@ -13,8 +13,11 @@
 #++
 
 class Comment < ActiveRecord::Base
+  include Redmine::SafeAttributes
   belongs_to :commented, :polymorphic => true, :counter_cache => true
   belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
 
   validates_presence_of :commented, :author, :comments
+
+  safe_attributes 'comments'
 end

app/models/news.rb

@@ -37,6 +37,11 @@ class News < ActiveRecord::Base
     !user.nil? && user.allowed_to?(:view_news, project)
   end
 
+  # Returns true if the news can be commented by user
+  def commentable?(user=User.current)
+    user.allowed_to?(:comment_news, project)
+  end
+
   # returns latest news for projects visible by user
   def self.latest(user = User.current, count = 5)
     find(:all, :limit => count, :conditions => Project.allowed_to_condition(user, :view_news), :include => [ :author, :project ], :order => "#{News.table_name}.created_on DESC")