Prevent mass-assignment vulnerability when adding/updating a version (#922).
This commit is contained in:
parent
a3f6b30e99
commit
fc5dfd5813
|
@ -56,7 +56,7 @@ class VersionsController < ApplicationController
|
|||
if params[:version]
|
||||
attributes = params[:version].dup
|
||||
attributes.delete('sharing') unless attributes.nil? || @version.allowed_sharings.include?(attributes['sharing'])
|
||||
@version.attributes = attributes
|
||||
@version.safe_attributes = attributes
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -66,7 +66,7 @@ class VersionsController < ApplicationController
|
|||
if params[:version]
|
||||
attributes = params[:version].dup
|
||||
attributes.delete('sharing') unless attributes.nil? || @version.allowed_sharings.include?(attributes['sharing'])
|
||||
@version.attributes = attributes
|
||||
@version.safe_attributes = attributes
|
||||
end
|
||||
|
||||
if request.post?
|
||||
|
@ -101,7 +101,8 @@ class VersionsController < ApplicationController
|
|||
if request.put? && params[:version]
|
||||
attributes = params[:version].dup
|
||||
attributes.delete('sharing') unless @version.allowed_sharings.include?(attributes['sharing'])
|
||||
if @version.update_attributes(attributes)
|
||||
@version.safe_attributes = attributes
|
||||
if @version.save
|
||||
flash[:notice] = l(:notice_successful_update)
|
||||
redirect_to :controller => 'projects', :action => 'settings', :tab => 'versions', :id => @project
|
||||
else
|
||||
|
|
|
@ -13,6 +13,7 @@
|
|||
#++
|
||||
|
||||
class Version < ActiveRecord::Base
|
||||
include Redmine::SafeAttributes
|
||||
after_update :update_issues_from_sharing_change
|
||||
belongs_to :project
|
||||
has_many :fixed_issues, :class_name => 'Issue', :foreign_key => 'fixed_version_id', :dependent => :nullify
|
||||
|
@ -34,6 +35,15 @@ class Version < ActiveRecord::Base
|
|||
named_scope :visible, lambda {|*args| { :include => :project,
|
||||
:conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } }
|
||||
|
||||
safe_attributes 'name',
|
||||
'description',
|
||||
'effective_date',
|
||||
'due_date',
|
||||
'wiki_page_title',
|
||||
'status',
|
||||
'sharing',
|
||||
'custom_field_values'
|
||||
|
||||
# Returns true if +user+ or current user is allowed to view the version
|
||||
def visible?(user=User.current)
|
||||
user.allowed_to?(:view_issues, self.project)
|
||||
|
|
Loading…
Reference in New Issue