From f12b9fca08ab015037182bae94106ca70105771d Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Tue, 6 Mar 2012 19:39:37 +0000 Subject: [PATCH] Prevent mass-assignment vulnerability when adding a project member (#922). --- app/controllers/members_controller.rb | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/app/controllers/members_controller.rb b/app/controllers/members_controller.rb index bfea327f..8fc508f3 100644 --- a/app/controllers/members_controller.rb +++ b/app/controllers/members_controller.rb @@ -21,17 +21,19 @@ class MembersController < ApplicationController def new members = [] - if params[:member] && request.post? - attrs = params[:member].dup - if (user_ids = attrs.delete(:user_ids)) + if params[:member] + if params[:member][:user_ids] + attrs = params[:member].dup + user_ids = attrs.delete(:user_ids) user_ids.each do |user_id| - members << Member.new(attrs.merge(:user_id => user_id)) + members << Member.new(:role_ids => params[:member][:role_ids], :user_id => user_id) end else - members << Member.new(attrs) + members << Member.new(:role_ids => params[:member][:role_ids], :user_id => params[:member][:user_id]) end @project.members << members end + respond_to do |format| if members.present? && members.all? {|m| m.valid? }