kolan
/
obsolete.ChilliProject
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Declare safe attributes for User and Projects models. 

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4492 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2010-12-12 13:19:07 +00:00
parent 3409333522
commit a4d7a99c22
6 changed files with 50 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/my_controller.rb
View File

@ -53,7 +53,7 @@ class MyController < ApplicationController
@user = User.current @user = User.current
@pref = @user.pref @pref = @user.pref
if request.post? if request.post?
@user.attributes = params[:user] @user.safe_attributes = params[:user]
@user.mail_notification = params[:notification_option] || 'only_my_events' @user.mail_notification = params[:notification_option] || 'only_my_events'
@user.pref.attributes = params[:pref] @user.pref.attributes = params[:pref]
@user.pref[:no_self_notified] = (params[:no_self_notified] == '1') @user.pref[:no_self_notified] = (params[:no_self_notified] == '1')

8
app/controllers/projects_controller.rb
View File

@ -72,7 +72,8 @@ class ProjectsController < ApplicationController
def create def create
@issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position") @issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position")
@trackers = Tracker.all @trackers = Tracker.all
@project = Project.new(params[:project]) @project = Project.new
@project.safe_attributes = params[:project]
@project.enabled_module_names = params[:enabled_modules] if params[:enabled_modules] @project.enabled_module_names = params[:enabled_modules] if params[:enabled_modules]
if validate_parent_id && @project.save if validate_parent_id && @project.save
@ -115,7 +116,8 @@ class ProjectsController < ApplicationController
end end
else else
Mailer.with_deliveries(params[:notifications] == '1') do Mailer.with_deliveries(params[:notifications] == '1') do
@project = Project.new(params[:project]) @project = Project.new
@project.safe_attributes = params[:project]
@project.enabled_module_names = params[:enabled_modules] @project.enabled_module_names = params[:enabled_modules]
if validate_parent_id && @project.copy(@source_project, :only => params[:only]) if validate_parent_id && @project.copy(@source_project, :only => params[:only])
@project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id') @project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id')
@ -181,7 +183,7 @@ class ProjectsController < ApplicationController
end end
def update def update
@project.attributes = params[:project] @project.safe_attributes = params[:project]
if validate_parent_id && @project.save if validate_parent_id && @project.save
@project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id') @project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id')
respond_to do |format| respond_to do |format|

5
app/controllers/users_controller.rb
View File

@ -97,7 +97,8 @@ class UsersController < ApplicationController
@notification_options = User::MAIL_NOTIFICATION_OPTIONS @notification_options = User::MAIL_NOTIFICATION_OPTIONS
@notification_option = Setting.default_notification_option @notification_option = Setting.default_notification_option
@user = User.new(params[:user]) @user = User.new
@user.safe_attributes = params[:user]
@user.admin = params[:user][:admin] || false @user.admin = params[:user][:admin] || false
@user.login = params[:user][:login] @user.login = params[:user][:login]
@user.password, @user.password_confirmation = params[:password], params[:password_confirmation] unless @user.auth_source_id @user.password, @user.password_confirmation = params[:password], params[:password_confirmation] unless @user.auth_source_id
@ -155,7 +156,7 @@ class UsersController < ApplicationController
@user.password, @user.password_confirmation = params[:password], params[:password_confirmation] @user.password, @user.password_confirmation = params[:password], params[:password_confirmation]
end end
@user.group_ids = params[:user][:group_ids] if params[:user][:group_ids] @user.group_ids = params[:user][:group_ids] if params[:user][:group_ids]
@user.attributes = params[:user] @user.safe_attributes = params[:user]
# Was the account actived ? (do it before User#save clears the change) # Was the account actived ? (do it before User#save clears the change)
was_activated = (@user.status_change == [User::STATUS_REGISTERED, User::STATUS_ACTIVE]) was_activated = (@user.status_change == [User::STATUS_REGISTERED, User::STATUS_ACTIVE])
# TODO: Similar to My#account # TODO: Similar to My#account

11
app/models/project.rb
View File

@ -16,6 +16,8 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class Project < ActiveRecord::Base class Project < ActiveRecord::Base
include Redmine::SafeAttributes
# Project statuses # Project statuses
STATUS_ACTIVE = 1 STATUS_ACTIVE = 1
STATUS_ARCHIVED = 9 STATUS_ARCHIVED = 9
@ -520,6 +522,15 @@ class Project < ActiveRecord::Base
def enabled_module_names def enabled_module_names
enabled_modules.collect(&:name) enabled_modules.collect(&:name)
end end
safe_attributes 'name',
'description',
'homepage',
'is_public',
'identifier',
'custom_field_values',
'custom_fields',
'tracker_ids'
# Returns an array of projects that are in this project's hierarchy # Returns an array of projects that are in this project's hierarchy
# #

17
app/models/user.rb
View File

@ -18,7 +18,8 @@
require "digest/sha1" require "digest/sha1"
class User < Principal class User < Principal
include Redmine::SafeAttributes
# Account statuses # Account statuses
STATUS_ANONYMOUS = 0 STATUS_ANONYMOUS = 0
STATUS_ACTIVE = 1 STATUS_ACTIVE = 1
@ -390,6 +391,20 @@ class User < Principal
def allowed_to_globally?(action, options) def allowed_to_globally?(action, options)
allowed_to?(action, nil, options.reverse_merge(:global => true)) allowed_to?(action, nil, options.reverse_merge(:global => true))
end end
safe_attributes 'login',
'firstname',
'lastname',
'mail',
'mail_notification',
'language',
'custom_field_values',
'custom_fields',
'identity_url'
safe_attributes 'status',
'auth_source_id',
:if => lambda {|user, current_user| current_user.admin?}
# Utility method to help check if a user should be notified about an # Utility method to help check if a user should be notified about an
# event. # event.

20
test/functional/projects_controller_test.rb
View File

@ -144,19 +144,27 @@ class ProjectsControllerTest < ActionController::TestCase
end end
should "create a new project" do should "create a new project" do
post :create, :project => { :name => "blog", post :create,
:description => "weblog", :project => {
:identifier => "blog", :name => "blog",
:is_public => 1, :description => "weblog",
:custom_field_values => { '3' => 'Beta' } :homepage => 'http://weblog',
} :identifier => "blog",
:is_public => 1,
:custom_field_values => { '3' => 'Beta' },
:tracker_ids => ['1', '3']
}
assert_redirected_to '/projects/blog/settings' assert_redirected_to '/projects/blog/settings'
project = Project.find_by_name('blog') project = Project.find_by_name('blog')
assert_kind_of Project, project assert_kind_of Project, project
assert project.active?
assert_equal 'weblog', project.description assert_equal 'weblog', project.description
assert_equal 'http://weblog', project.homepage
assert_equal true, project.is_public? assert_equal true, project.is_public?
assert_nil project.parent assert_nil project.parent
assert_equal 'Beta', project.custom_value_for(3).value
assert_equal [1, 3], project.trackers.map(&:id).sort
end end
should "create a new subproject" do should "create a new subproject" do