Prevent mass-assignment vulnerability when adding/updating a document (#922).

2012-03-06 18:54:41 +00:00 · 2012-03-06 18:54:41 +00:00 · 7505cb2ff0
parent 2eeb4b13a6
commit 7505cb2ff0
2 changed files with 5 additions and 1 deletions
--- a/app/controllers/documents_controller.rb
+++ b/app/controllers/documents_controller.rb
@ -43,7 +43,8 @@ class DocumentsController < ApplicationController
  end

  def new
-    @document = @project.documents.build(params[:document])
+    @document = @project.documents.build
+    @document.safe_attributes = params[:document]
    if request.post?
      if User.current.allowed_to?(:add_document_watchers, @project) && params[:document]['watcher_user_ids'].present?
        @document.watcher_user_ids = params[:document]['watcher_user_ids']
--- a/app/models/document.rb
+++ b/app/models/document.rb
@ -13,6 +13,7 @@
 #++

 class Document < ActiveRecord::Base
+  include Redmine::SafeAttributes
  belongs_to :project
  belongs_to :category, :class_name => "DocumentCategory", :foreign_key => "category_id"
  acts_as_attachable :delete_permission => :manage_documents
@ -32,6 +33,8 @@ class Document < ActiveRecord::Base
  named_scope :visible, lambda {|*args| { :include => :project,
                                          :conditions => Project.allowed_to_condition(args.first || User.current, :view_documents) } }

+  safe_attributes 'category_id', 'title', 'description'
+
  def visible?(user=User.current)
    !user.nil? && user.allowed_to?(:view_documents, project)
  end