Prevent mass-assignment vulnerability when adding/updating a time entry (#922).

This commit is contained in:
Jean-Philippe Lang 2012-03-06 20:23:00 +00:00 committed by Holger Just
parent 5de377c5ee
commit a3f6b30e99
2 changed files with 7 additions and 4 deletions

View File

@ -97,7 +97,7 @@ class TimelogController < ApplicationController
def new
@time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
@time_entry.attributes = params[:time_entry]
@time_entry.safe_attributes = params[:time_entry]
call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
render :action => 'edit'
@ -106,7 +106,7 @@ class TimelogController < ApplicationController
verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
def create
@time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
@time_entry.attributes = params[:time_entry]
@time_entry.safe_attributes = params[:time_entry]
call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
@ -127,14 +127,14 @@ class TimelogController < ApplicationController
end
def edit
@time_entry.attributes = params[:time_entry]
@time_entry.safe_attributes = params[:time_entry]
call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
end
verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
def update
@time_entry.attributes = params[:time_entry]
@time_entry.safe_attributes = params[:time_entry]
call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })

View File

@ -13,6 +13,7 @@
#++
class TimeEntry < ActiveRecord::Base
include Redmine::SafeAttributes
# could have used polymorphic association
# project association here allows easy loading of time entries at project level with one database trip
belongs_to :project
@ -37,6 +38,8 @@ class TimeEntry < ActiveRecord::Base
:conditions => Project.allowed_to_condition(args.first || User.current, :view_time_entries)
}}
safe_attributes 'hours', 'comments', 'issue_id', 'activity_id', 'spent_on', 'custom_field_values'
def after_initialize
if new_record? && self.activity.nil?
if default_activity = TimeEntryActivity.default