##// END OF EJS Templates
jro_apps » redmine
RSS
Prevent mass-assignment when adding/updating a time entry (#10390)....
Jean-Philippe Lang -
r9016:1ec2d98c14bd
parent child
Show More
Side by Side Unified
Context file:
r9016:1ec2d98c14bd Loading diff...:
Show file before | Show file after | Hide comments
@@ -118,12 +118,12 class TimelogController < ApplicationController
118
118
119 def new
119 def new
120 @time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
120 @time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
121 @time_entry.attributes = params[:time_entry]
121 @time_entry.safe_attributes = params[:time_entry]
122 end
122 end
123
123
124 def create
124 def create
125 @time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
125 @time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
126 @time_entry.attributes = params[:time_entry]
126 @time_entry.safe_attributes = params[:time_entry]
127
127
128 call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
128 call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
129
129
@@ -152,11 +152,11 class TimelogController < ApplicationController
152 end
152 end
153
153
154 def edit
154 def edit
155 @time_entry.attributes = params[:time_entry]
155 @time_entry.safe_attributes = params[:time_entry]
156 end
156 end
157
157
158 def update
158 def update
159 @time_entry.attributes = params[:time_entry]
159 @time_entry.safe_attributes = params[:time_entry]
160
160
161 call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
161 call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
162
162
@@ -187,7 +187,7 class TimelogController < ApplicationController
187 unsaved_time_entry_ids = []
187 unsaved_time_entry_ids = []
188 @time_entries.each do |time_entry|
188 @time_entries.each do |time_entry|
189 time_entry.reload
189 time_entry.reload
190 time_entry.attributes = attributes
190 time_entry.safe_attributes = attributes
191 call_hook(:controller_time_entries_bulk_edit_before_save, { :params => params, :time_entry => time_entry })
191 call_hook(:controller_time_entries_bulk_edit_before_save, { :params => params, :time_entry => time_entry })
192 unless time_entry.save
192 unless time_entry.save
193 # Keep unsaved time_entry ids to display them in flash error
193 # Keep unsaved time_entry ids to display them in flash error
Show file before | Show file after | Hide comments
@@ -16,6 +16,7
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17
17
18 class TimeEntry < ActiveRecord::Base
18 class TimeEntry < ActiveRecord::Base
19 include Redmine::SafeAttributes
19 # could have used polymorphic association
20 # could have used polymorphic association
20 # project association here allows easy loading of time entries at project level with one database trip
21 # project association here allows easy loading of time entries at project level with one database trip
21 belongs_to :project
22 belongs_to :project
@@ -65,6 +66,8 class TimeEntry < ActiveRecord::Base
65 end
66 end
66 }
67 }
67
68
69 safe_attributes 'hours', 'comments', 'issue_id', 'activity_id', 'spent_on', 'custom_field_values'
70
68 def initialize(attributes=nil, *args)
71 def initialize(attributes=nil, *args)
69 super
72 super
70 if new_record? && self.activity.nil?
73 if new_record? && self.activity.nil?
General Comments 0
You need to be logged in to leave comments. Login now