diff --git a/app/controllers/my_controller.rb b/app/controllers/my_controller.rb index 46747b33..e552caa1 100644 --- a/app/controllers/my_controller.rb +++ b/app/controllers/my_controller.rb @@ -53,7 +53,7 @@ class MyController < ApplicationController @user = User.current @pref = @user.pref if request.post? - @user.attributes = params[:user] + @user.safe_attributes = params[:user] @user.mail_notification = params[:notification_option] || 'only_my_events' @user.pref.attributes = params[:pref] @user.pref[:no_self_notified] = (params[:no_self_notified] == '1') diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index 1c982ac2..7a4c7121 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -72,7 +72,8 @@ class ProjectsController < ApplicationController def create @issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position") @trackers = Tracker.all - @project = Project.new(params[:project]) + @project = Project.new + @project.safe_attributes = params[:project] @project.enabled_module_names = params[:enabled_modules] if params[:enabled_modules] if validate_parent_id && @project.save @@ -115,7 +116,8 @@ class ProjectsController < ApplicationController end else Mailer.with_deliveries(params[:notifications] == '1') do - @project = Project.new(params[:project]) + @project = Project.new + @project.safe_attributes = params[:project] @project.enabled_module_names = params[:enabled_modules] if validate_parent_id && @project.copy(@source_project, :only => params[:only]) @project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id') @@ -181,7 +183,7 @@ class ProjectsController < ApplicationController end def update - @project.attributes = params[:project] + @project.safe_attributes = params[:project] if validate_parent_id && @project.save @project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id') respond_to do |format| diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 69ffcf2c..07c807ce 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -97,7 +97,8 @@ class UsersController < ApplicationController @notification_options = User::MAIL_NOTIFICATION_OPTIONS @notification_option = Setting.default_notification_option - @user = User.new(params[:user]) + @user = User.new + @user.safe_attributes = params[:user] @user.admin = params[:user][:admin] || false @user.login = params[:user][:login] @user.password, @user.password_confirmation = params[:password], params[:password_confirmation] unless @user.auth_source_id @@ -155,7 +156,7 @@ class UsersController < ApplicationController @user.password, @user.password_confirmation = params[:password], params[:password_confirmation] end @user.group_ids = params[:user][:group_ids] if params[:user][:group_ids] - @user.attributes = params[:user] + @user.safe_attributes = params[:user] # Was the account actived ? (do it before User#save clears the change) was_activated = (@user.status_change == [User::STATUS_REGISTERED, User::STATUS_ACTIVE]) # TODO: Similar to My#account diff --git a/app/models/project.rb b/app/models/project.rb index 99a4a498..29a750fe 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -16,6 +16,8 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. class Project < ActiveRecord::Base + include Redmine::SafeAttributes + # Project statuses STATUS_ACTIVE = 1 STATUS_ARCHIVED = 9 @@ -520,6 +522,15 @@ class Project < ActiveRecord::Base def enabled_module_names enabled_modules.collect(&:name) end + + safe_attributes 'name', + 'description', + 'homepage', + 'is_public', + 'identifier', + 'custom_field_values', + 'custom_fields', + 'tracker_ids' # Returns an array of projects that are in this project's hierarchy # diff --git a/app/models/user.rb b/app/models/user.rb index a4363193..b039ba0b 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -18,7 +18,8 @@ require "digest/sha1" class User < Principal - + include Redmine::SafeAttributes + # Account statuses STATUS_ANONYMOUS = 0 STATUS_ACTIVE = 1 @@ -390,6 +391,20 @@ class User < Principal def allowed_to_globally?(action, options) allowed_to?(action, nil, options.reverse_merge(:global => true)) end + + safe_attributes 'login', + 'firstname', + 'lastname', + 'mail', + 'mail_notification', + 'language', + 'custom_field_values', + 'custom_fields', + 'identity_url' + + safe_attributes 'status', + 'auth_source_id', + :if => lambda {|user, current_user| current_user.admin?} # Utility method to help check if a user should be notified about an # event. diff --git a/test/functional/projects_controller_test.rb b/test/functional/projects_controller_test.rb index 3cd7c3db..5392ffb1 100644 --- a/test/functional/projects_controller_test.rb +++ b/test/functional/projects_controller_test.rb @@ -144,19 +144,27 @@ class ProjectsControllerTest < ActionController::TestCase end should "create a new project" do - post :create, :project => { :name => "blog", - :description => "weblog", - :identifier => "blog", - :is_public => 1, - :custom_field_values => { '3' => 'Beta' } - } + post :create, + :project => { + :name => "blog", + :description => "weblog", + :homepage => 'http://weblog', + :identifier => "blog", + :is_public => 1, + :custom_field_values => { '3' => 'Beta' }, + :tracker_ids => ['1', '3'] + } assert_redirected_to '/projects/blog/settings' project = Project.find_by_name('blog') assert_kind_of Project, project + assert project.active? assert_equal 'weblog', project.description + assert_equal 'http://weblog', project.homepage assert_equal true, project.is_public? assert_nil project.parent + assert_equal 'Beta', project.custom_value_for(3).value + assert_equal [1, 3], project.trackers.map(&:id).sort end should "create a new subproject" do