From c651ba1a98ad09c4d60dc8f3065c181dfa8a4bd4 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Tue, 6 Mar 2012 18:54:41 +0000
Subject: [PATCH] Prevent mass-assignment vulnerability when adding/updating a
 document (#922).

Conflicts:

	app/controllers/documents_controller.rb
---
 app/controllers/documents_controller.rb | 16 ++++++++++++++++
 app/models/document.rb                  |  3 +++
 2 files changed, 19 insertions(+)

diff --git a/app/controllers/documents_controller.rb b/app/controllers/documents_controller.rb
index 56bddc28..37b3efa9 100644
--- a/app/controllers/documents_controller.rb
+++ b/app/controllers/documents_controller.rb
@@ -43,12 +43,28 @@ class DocumentsController < ApplicationController
   end
 
   def new
+<<<<<<< HEAD
     @document = @project.documents.build(params[:document])
     if request.post? and @document.save
       attachments = Attachment.attach_files(@document, params[:attachments])
       render_attachment_warning_if_needed(@document)
       flash[:notice] = l(:notice_successful_create)
       redirect_to :action => 'index', :project_id => @project
+=======
+    @document = @project.documents.build
+    @document.safe_attributes = params[:document]
+    if request.post?
+      if User.current.allowed_to?(:add_document_watchers, @project) && params[:document]['watcher_user_ids'].present?
+        @document.watcher_user_ids = params[:document]['watcher_user_ids']
+      end
+
+      if @document.save
+        attachments = Attachment.attach_files(@document, params[:attachments])
+        render_attachment_warning_if_needed(@document)
+        flash[:notice] = l(:notice_successful_create)
+        redirect_to :action => 'index', :project_id => @project
+      end
+>>>>>>> edaf457... Prevent mass-assignment vulnerability when adding/updating a document (#922).
     end
   end
 
diff --git a/app/models/document.rb b/app/models/document.rb
index 7e17997c..1f9c0884 100644
--- a/app/models/document.rb
+++ b/app/models/document.rb
@@ -13,6 +13,7 @@
 #++
 
 class Document < ActiveRecord::Base
+  include Redmine::SafeAttributes
   belongs_to :project
   belongs_to :category, :class_name => "DocumentCategory", :foreign_key => "category_id"
   acts_as_attachable :delete_permission => :manage_documents
@@ -31,6 +32,8 @@ class Document < ActiveRecord::Base
   named_scope :visible, lambda {|*args| { :include => :project,
                                           :conditions => Project.allowed_to_condition(args.first || User.current, :view_documents) } }
 
+  safe_attributes 'category_id', 'title', 'description'
+
   def visible?(user=User.current)
     !user.nil? && user.allowed_to?(:view_documents, project)
   end