Prevent mass-assignment vulnerability when adding/updating a document (#922).
Conflicts: app/controllers/documents_controller.rb
This commit is contained in:
parent
ad996d7839
commit
c651ba1a98
|
@ -43,12 +43,28 @@ class DocumentsController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def new
|
def new
|
||||||
|
<<<<<<< HEAD
|
||||||
@document = @project.documents.build(params[:document])
|
@document = @project.documents.build(params[:document])
|
||||||
if request.post? and @document.save
|
if request.post? and @document.save
|
||||||
attachments = Attachment.attach_files(@document, params[:attachments])
|
attachments = Attachment.attach_files(@document, params[:attachments])
|
||||||
render_attachment_warning_if_needed(@document)
|
render_attachment_warning_if_needed(@document)
|
||||||
flash[:notice] = l(:notice_successful_create)
|
flash[:notice] = l(:notice_successful_create)
|
||||||
redirect_to :action => 'index', :project_id => @project
|
redirect_to :action => 'index', :project_id => @project
|
||||||
|
=======
|
||||||
|
@document = @project.documents.build
|
||||||
|
@document.safe_attributes = params[:document]
|
||||||
|
if request.post?
|
||||||
|
if User.current.allowed_to?(:add_document_watchers, @project) && params[:document]['watcher_user_ids'].present?
|
||||||
|
@document.watcher_user_ids = params[:document]['watcher_user_ids']
|
||||||
|
end
|
||||||
|
|
||||||
|
if @document.save
|
||||||
|
attachments = Attachment.attach_files(@document, params[:attachments])
|
||||||
|
render_attachment_warning_if_needed(@document)
|
||||||
|
flash[:notice] = l(:notice_successful_create)
|
||||||
|
redirect_to :action => 'index', :project_id => @project
|
||||||
|
end
|
||||||
|
>>>>>>> edaf457... Prevent mass-assignment vulnerability when adding/updating a document (#922).
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -13,6 +13,7 @@
|
||||||
#++
|
#++
|
||||||
|
|
||||||
class Document < ActiveRecord::Base
|
class Document < ActiveRecord::Base
|
||||||
|
include Redmine::SafeAttributes
|
||||||
belongs_to :project
|
belongs_to :project
|
||||||
belongs_to :category, :class_name => "DocumentCategory", :foreign_key => "category_id"
|
belongs_to :category, :class_name => "DocumentCategory", :foreign_key => "category_id"
|
||||||
acts_as_attachable :delete_permission => :manage_documents
|
acts_as_attachable :delete_permission => :manage_documents
|
||||||
|
@ -31,6 +32,8 @@ class Document < ActiveRecord::Base
|
||||||
named_scope :visible, lambda {|*args| { :include => :project,
|
named_scope :visible, lambda {|*args| { :include => :project,
|
||||||
:conditions => Project.allowed_to_condition(args.first || User.current, :view_documents) } }
|
:conditions => Project.allowed_to_condition(args.first || User.current, :view_documents) } }
|
||||||
|
|
||||||
|
safe_attributes 'category_id', 'title', 'description'
|
||||||
|
|
||||||
def visible?(user=User.current)
|
def visible?(user=User.current)
|
||||||
!user.nil? && user.allowed_to?(:view_documents, project)
|
!user.nil? && user.allowed_to?(:view_documents, project)
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue