From 384890c5adbb7abf2a2df14f56fa4f30b3e70845 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Tue, 6 Mar 2012 19:39:37 +0000
Subject: [PATCH] Prevent mass-assignment vulnerability when adding a project
 member (#922).

---
 app/controllers/members_controller.rb | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/app/controllers/members_controller.rb b/app/controllers/members_controller.rb
index bfea327f..8fc508f3 100644
--- a/app/controllers/members_controller.rb
+++ b/app/controllers/members_controller.rb
@@ -21,17 +21,19 @@ class MembersController < ApplicationController
 
   def new
     members = []
-    if params[:member] && request.post?
-      attrs = params[:member].dup
-      if (user_ids = attrs.delete(:user_ids))
+    if params[:member]
+      if params[:member][:user_ids]
+        attrs = params[:member].dup
+        user_ids = attrs.delete(:user_ids)
         user_ids.each do |user_id|
-          members << Member.new(attrs.merge(:user_id => user_id))
+          members << Member.new(:role_ids => params[:member][:role_ids], :user_id => user_id)
         end
       else
-        members << Member.new(attrs)
+        members << Member.new(:role_ids => params[:member][:role_ids], :user_id => params[:member][:user_id])
       end
       @project.members << members
     end
+
     respond_to do |format|
       if members.present? && members.all? {|m| m.valid? }