kolan
/
obsolete.ChilliProject
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Prevent mass-assignment vulnerability when adding a project member (#922).

This commit is contained in:
Jean-Philippe Lang 2012-03-06 19:39:37 +00:00 committed by Holger Just
parent e77cb6133d
commit 384890c5ad
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
app/controllers/members_controller.rb
View File

@ -21,17 +21,19 @@ class MembersController < ApplicationController
def new def new
members = [] members = []
if params[:member] && request.post? if params[:member]
attrs = params[:member].dup if params[:member][:user_ids]
if (user_ids = attrs.delete(:user_ids)) attrs = params[:member].dup
user_ids = attrs.delete(:user_ids)
user_ids.each do |user_id| user_ids.each do |user_id|
members << Member.new(attrs.merge(:user_id => user_id)) members << Member.new(:role_ids => params[:member][:role_ids], :user_id => user_id)
end end
else else
members << Member.new(attrs) members << Member.new(:role_ids => params[:member][:role_ids], :user_id => params[:member][:user_id])
end end
@project.members << members @project.members << members
end end
respond_to do |format| respond_to do |format|
if members.present? && members.all? {|m| m.valid? } if members.present? && members.all? {|m| m.valid? }