Prevent mass-assignment vulnerability when adding/updating a news (#922).

app/controllers/news_controller.rb

@@ -59,14 +59,12 @@ class NewsController < ApplicationController
 
   def create
     @news = News.new(:project => @project, :author => User.current)
-    if request.post?
+    @news.safe_attributes = params[:news]
-      @news.attributes = params[:news]
+    if @news.save
-      if @news.save
+      flash[:notice] = l(:notice_successful_create)
-        flash[:notice] = l(:notice_successful_create)
+      redirect_to :controller => 'news', :action => 'index', :project_id => @project
-        redirect_to :controller => 'news', :action => 'index', :project_id => @project
+    else
-      else
+      render :action => 'new'
-        render :action => 'new'
-      end
     end
   end
 
@@ -74,7 +72,8 @@ class NewsController < ApplicationController
   end
 
   def update
-    if request.put? and @news.update_attributes(params[:news])
+    @news.safe_attributes = params[:news]
+    if @news.save
       flash[:notice] = l(:notice_successful_update)
       redirect_to :action => 'show', :id => @news
     else

app/models/news.rb

@@ -13,6 +13,7 @@
 #++
 
 class News < ActiveRecord::Base
+  include Redmine::SafeAttributes
   belongs_to :project
   belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
   has_many :comments, :as => :commented, :dependent => :delete_all, :order => "created_on"
@@ -33,6 +34,8 @@ class News < ActiveRecord::Base
     :conditions => Project.allowed_to_condition(args.first || User.current, :view_news)
   }}
 
+  safe_attributes 'title', 'summary', 'description'
+
   def visible?(user=User.current)
     !user.nil? && user.allowed_to?(:view_news, project)
   end