Prevent mass-assignment vulnerability when adding/updating a time entry (#922).
This commit is contained in:
parent
5de377c5ee
commit
a3f6b30e99
|
@ -97,7 +97,7 @@ class TimelogController < ApplicationController
|
|||
|
||||
def new
|
||||
@time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
|
||||
@time_entry.attributes = params[:time_entry]
|
||||
@time_entry.safe_attributes = params[:time_entry]
|
||||
|
||||
call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
|
||||
render :action => 'edit'
|
||||
|
@ -106,7 +106,7 @@ class TimelogController < ApplicationController
|
|||
verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
|
||||
def create
|
||||
@time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
|
||||
@time_entry.attributes = params[:time_entry]
|
||||
@time_entry.safe_attributes = params[:time_entry]
|
||||
|
||||
call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
|
||||
|
||||
|
@ -127,14 +127,14 @@ class TimelogController < ApplicationController
|
|||
end
|
||||
|
||||
def edit
|
||||
@time_entry.attributes = params[:time_entry]
|
||||
@time_entry.safe_attributes = params[:time_entry]
|
||||
|
||||
call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
|
||||
end
|
||||
|
||||
verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
|
||||
def update
|
||||
@time_entry.attributes = params[:time_entry]
|
||||
@time_entry.safe_attributes = params[:time_entry]
|
||||
|
||||
call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
|
||||
|
||||
|
|
|
@ -13,6 +13,7 @@
|
|||
#++
|
||||
|
||||
class TimeEntry < ActiveRecord::Base
|
||||
include Redmine::SafeAttributes
|
||||
# could have used polymorphic association
|
||||
# project association here allows easy loading of time entries at project level with one database trip
|
||||
belongs_to :project
|
||||
|
@ -37,6 +38,8 @@ class TimeEntry < ActiveRecord::Base
|
|||
:conditions => Project.allowed_to_condition(args.first || User.current, :view_time_entries)
|
||||
}}
|
||||
|
||||
safe_attributes 'hours', 'comments', 'issue_id', 'activity_id', 'spent_on', 'custom_field_values'
|
||||
|
||||
def after_initialize
|
||||
if new_record? && self.activity.nil?
|
||||
if default_activity = TimeEntryActivity.default
|
||||
|
|
Loading…
Reference in New Issue