From 7505cb2ff06a57f40ae258d6a0bd2433323c6418 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Tue, 6 Mar 2012 18:54:41 +0000
Subject: [PATCH] Prevent mass-assignment vulnerability when adding/updating a
 document (#922).

---
 app/controllers/documents_controller.rb | 3 ++-
 app/models/document.rb                  | 3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/controllers/documents_controller.rb b/app/controllers/documents_controller.rb
index b0e35ad0..4356ea06 100644
--- a/app/controllers/documents_controller.rb
+++ b/app/controllers/documents_controller.rb
@@ -43,7 +43,8 @@ class DocumentsController < ApplicationController
   end
 
   def new
-    @document = @project.documents.build(params[:document])
+    @document = @project.documents.build
+    @document.safe_attributes = params[:document]
     if request.post?
       if User.current.allowed_to?(:add_document_watchers, @project) && params[:document]['watcher_user_ids'].present?
         @document.watcher_user_ids = params[:document]['watcher_user_ids']
diff --git a/app/models/document.rb b/app/models/document.rb
index 1438370f..14d9c10d 100644
--- a/app/models/document.rb
+++ b/app/models/document.rb
@@ -13,6 +13,7 @@
 #++
 
 class Document < ActiveRecord::Base
+  include Redmine::SafeAttributes
   belongs_to :project
   belongs_to :category, :class_name => "DocumentCategory", :foreign_key => "category_id"
   acts_as_attachable :delete_permission => :manage_documents
@@ -32,6 +33,8 @@ class Document < ActiveRecord::Base
   named_scope :visible, lambda {|*args| { :include => :project,
                                           :conditions => Project.allowed_to_condition(args.first || User.current, :view_documents) } }
 
+  safe_attributes 'category_id', 'title', 'description'
+
   def visible?(user=User.current)
     !user.nil? && user.allowed_to?(:view_documents, project)
   end