Prevent mass-assignment vulnerability when adding/updating a document (#922).

Conflicts:

	app/controllers/documents_controller.rb
This commit is contained in:
Jean-Philippe Lang 2012-03-06 18:54:41 +00:00 committed by Holger Just
parent ad996d7839
commit c651ba1a98
2 changed files with 19 additions and 0 deletions

View File

@ -43,12 +43,28 @@ class DocumentsController < ApplicationController
end
def new
<<<<<<< HEAD
@document = @project.documents.build(params[:document])
if request.post? and @document.save
attachments = Attachment.attach_files(@document, params[:attachments])
render_attachment_warning_if_needed(@document)
flash[:notice] = l(:notice_successful_create)
redirect_to :action => 'index', :project_id => @project
=======
@document = @project.documents.build
@document.safe_attributes = params[:document]
if request.post?
if User.current.allowed_to?(:add_document_watchers, @project) && params[:document]['watcher_user_ids'].present?
@document.watcher_user_ids = params[:document]['watcher_user_ids']
end
if @document.save
attachments = Attachment.attach_files(@document, params[:attachments])
render_attachment_warning_if_needed(@document)
flash[:notice] = l(:notice_successful_create)
redirect_to :action => 'index', :project_id => @project
end
>>>>>>> edaf457... Prevent mass-assignment vulnerability when adding/updating a document (#922).
end
end

View File

@ -13,6 +13,7 @@
#++
class Document < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :project
belongs_to :category, :class_name => "DocumentCategory", :foreign_key => "category_id"
acts_as_attachable :delete_permission => :manage_documents
@ -31,6 +32,8 @@ class Document < ActiveRecord::Base
named_scope :visible, lambda {|*args| { :include => :project,
:conditions => Project.allowed_to_condition(args.first || User.current, :view_documents) } }
safe_attributes 'category_id', 'title', 'description'
def visible?(user=User.current)
!user.nil? && user.allowed_to?(:view_documents, project)
end