##// END OF EJS Templates
jro_apps » redmine
RSS
Prevent mass-assignment when adding/updating a time entry (#10390)....
Jean-Philippe Lang -
r9016:1ec2d98c14bd
parent child
Show More
Side by Side Unified
Context file:
r9016:1ec2d98c14bd Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,336 +1,336
1 1 # Redmine - project management software
2 2 # Copyright (C) 2006-2011 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class TimelogController < ApplicationController
19 19 menu_item :issues
20 20
21 21 before_filter :find_project, :only => [:create]
22 22 before_filter :find_time_entry, :only => [:show, :edit, :update]
23 23 before_filter :find_time_entries, :only => [:bulk_edit, :bulk_update, :destroy]
24 24 before_filter :authorize, :except => [:new, :index, :report]
25 25
26 26 before_filter :find_optional_project, :only => [:new, :index, :report]
27 27 before_filter :authorize_global, :only => [:new, :index, :report]
28 28
29 29 accept_rss_auth :index
30 30 accept_api_auth :index, :show, :create, :update, :destroy
31 31
32 32 helper :sort
33 33 include SortHelper
34 34 helper :issues
35 35 include TimelogHelper
36 36 helper :custom_fields
37 37 include CustomFieldsHelper
38 38
39 39 def index
40 40 sort_init 'spent_on', 'desc'
41 41 sort_update 'spent_on' => 'spent_on',
42 42 'user' => 'user_id',
43 43 'activity' => 'activity_id',
44 44 'project' => "#{Project.table_name}.name",
45 45 'issue' => 'issue_id',
46 46 'hours' => 'hours'
47 47
48 48 retrieve_date_range
49 49
50 50 scope = TimeEntry.visible.spent_between(@from, @to)
51 51 if @issue
52 52 scope = scope.on_issue(@issue)
53 53 elsif @project
54 54 scope = scope.on_project(@project, Setting.display_subprojects_issues?)
55 55 end
56 56
57 57 respond_to do |format|
58 58 format.html {
59 59 # Paginate results
60 60 @entry_count = scope.count
61 61 @entry_pages = Paginator.new self, @entry_count, per_page_option, params['page']
62 62 @entries = scope.all(
63 63 :include => [:project, :activity, :user, {:issue => :tracker}],
64 64 :order => sort_clause,
65 65 :limit => @entry_pages.items_per_page,
66 66 :offset => @entry_pages.current.offset
67 67 )
68 68 @total_hours = scope.sum(:hours).to_f
69 69
70 70 render :layout => !request.xhr?
71 71 }
72 72 format.api {
73 73 @entry_count = scope.count
74 74 @offset, @limit = api_offset_and_limit
75 75 @entries = scope.all(
76 76 :include => [:project, :activity, :user, {:issue => :tracker}],
77 77 :order => sort_clause,
78 78 :limit => @limit,
79 79 :offset => @offset
80 80 )
81 81 }
82 82 format.atom {
83 83 entries = scope.all(
84 84 :include => [:project, :activity, :user, {:issue => :tracker}],
85 85 :order => "#{TimeEntry.table_name}.created_on DESC",
86 86 :limit => Setting.feeds_limit.to_i
87 87 )
88 88 render_feed(entries, :title => l(:label_spent_time))
89 89 }
90 90 format.csv {
91 91 # Export all entries
92 92 @entries = scope.all(
93 93 :include => [:project, :activity, :user, {:issue => [:tracker, :assigned_to, :priority]}],
94 94 :order => sort_clause
95 95 )
96 96 send_data(entries_to_csv(@entries), :type => 'text/csv; header=present', :filename => 'timelog.csv')
97 97 }
98 98 end
99 99 end
100 100
101 101 def report
102 102 retrieve_date_range
103 103 @report = Redmine::Helpers::TimeReport.new(@project, @issue, params[:criteria], params[:columns], @from, @to)
104 104
105 105 respond_to do |format|
106 106 format.html { render :layout => !request.xhr? }
107 107 format.csv { send_data(report_to_csv(@report), :type => 'text/csv; header=present', :filename => 'timelog.csv') }
108 108 end
109 109 end
110 110
111 111 def show
112 112 respond_to do |format|
113 113 # TODO: Implement html response
114 114 format.html { render :nothing => true, :status => 406 }
115 115 format.api
116 116 end
117 117 end
118 118
119 119 def new
120 120 @time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
121 @time_entry.attributes = params[:time_entry]
121 @time_entry.safe_attributes = params[:time_entry]
122 122 end
123 123
124 124 def create
125 125 @time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
126 @time_entry.attributes = params[:time_entry]
126 @time_entry.safe_attributes = params[:time_entry]
127 127
128 128 call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
129 129
130 130 if @time_entry.save
131 131 respond_to do |format|
132 132 format.html {
133 133 flash[:notice] = l(:notice_successful_create)
134 134 if params[:continue]
135 135 if params[:project_id]
136 136 redirect_to :action => 'new', :project_id => @time_entry.project, :issue_id => @time_entry.issue, :back_url => params[:back_url]
137 137 else
138 138 redirect_to :action => 'new', :back_url => params[:back_url]
139 139 end
140 140 else
141 141 redirect_back_or_default :action => 'index', :project_id => @time_entry.project
142 142 end
143 143 }
144 144 format.api { render :action => 'show', :status => :created, :location => time_entry_url(@time_entry) }
145 145 end
146 146 else
147 147 respond_to do |format|
148 148 format.html { render :action => 'new' }
149 149 format.api { render_validation_errors(@time_entry) }
150 150 end
151 151 end
152 152 end
153 153
154 154 def edit
155 @time_entry.attributes = params[:time_entry]
155 @time_entry.safe_attributes = params[:time_entry]
156 156 end
157 157
158 158 def update
159 @time_entry.attributes = params[:time_entry]
159 @time_entry.safe_attributes = params[:time_entry]
160 160
161 161 call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
162 162
163 163 if @time_entry.save
164 164 respond_to do |format|
165 165 format.html {
166 166 flash[:notice] = l(:notice_successful_update)
167 167 redirect_back_or_default :action => 'index', :project_id => @time_entry.project
168 168 }
169 169 format.api { head :ok }
170 170 end
171 171 else
172 172 respond_to do |format|
173 173 format.html { render :action => 'edit' }
174 174 format.api { render_validation_errors(@time_entry) }
175 175 end
176 176 end
177 177 end
178 178
179 179 def bulk_edit
180 180 @available_activities = TimeEntryActivity.shared.active
181 181 @custom_fields = TimeEntry.first.available_custom_fields
182 182 end
183 183
184 184 def bulk_update
185 185 attributes = parse_params_for_bulk_time_entry_attributes(params)
186 186
187 187 unsaved_time_entry_ids = []
188 188 @time_entries.each do |time_entry|
189 189 time_entry.reload
190 time_entry.attributes = attributes
190 time_entry.safe_attributes = attributes
191 191 call_hook(:controller_time_entries_bulk_edit_before_save, { :params => params, :time_entry => time_entry })
192 192 unless time_entry.save
193 193 # Keep unsaved time_entry ids to display them in flash error
194 194 unsaved_time_entry_ids << time_entry.id
195 195 end
196 196 end
197 197 set_flash_from_bulk_time_entry_save(@time_entries, unsaved_time_entry_ids)
198 198 redirect_back_or_default({:controller => 'timelog', :action => 'index', :project_id => @projects.first})
199 199 end
200 200
201 201 def destroy
202 202 destroyed = TimeEntry.transaction do
203 203 @time_entries.each do |t|
204 204 unless t.destroy && t.destroyed?
205 205 raise ActiveRecord::Rollback
206 206 end
207 207 end
208 208 end
209 209
210 210 respond_to do |format|
211 211 format.html {
212 212 if destroyed
213 213 flash[:notice] = l(:notice_successful_delete)
214 214 else
215 215 flash[:error] = l(:notice_unable_delete_time_entry)
216 216 end
217 217 redirect_back_or_default(:action => 'index', :project_id => @projects.first)
218 218 }
219 219 format.api {
220 220 if destroyed
221 221 head :ok
222 222 else
223 223 render_validation_errors(@time_entries)
224 224 end
225 225 }
226 226 end
227 227 end
228 228
229 229 private
230 230 def find_time_entry
231 231 @time_entry = TimeEntry.find(params[:id])
232 232 unless @time_entry.editable_by?(User.current)
233 233 render_403
234 234 return false
235 235 end
236 236 @project = @time_entry.project
237 237 rescue ActiveRecord::RecordNotFound
238 238 render_404
239 239 end
240 240
241 241 def find_time_entries
242 242 @time_entries = TimeEntry.find_all_by_id(params[:id] || params[:ids])
243 243 raise ActiveRecord::RecordNotFound if @time_entries.empty?
244 244 @projects = @time_entries.collect(&:project).compact.uniq
245 245 @project = @projects.first if @projects.size == 1
246 246 rescue ActiveRecord::RecordNotFound
247 247 render_404
248 248 end
249 249
250 250 def set_flash_from_bulk_time_entry_save(time_entries, unsaved_time_entry_ids)
251 251 if unsaved_time_entry_ids.empty?
252 252 flash[:notice] = l(:notice_successful_update) unless time_entries.empty?
253 253 else
254 254 flash[:error] = l(:notice_failed_to_save_time_entries,
255 255 :count => unsaved_time_entry_ids.size,
256 256 :total => time_entries.size,
257 257 :ids => '#' + unsaved_time_entry_ids.join(', #'))
258 258 end
259 259 end
260 260
261 261 def find_project
262 262 if (project_id = (params[:project_id] || params[:time_entry] && params[:time_entry][:project_id])).present?
263 263 @project = Project.find(project_id)
264 264 end
265 265 if (issue_id = (params[:issue_id] || params[:time_entry] && params[:time_entry][:issue_id])).present?
266 266 @issue = Issue.find(issue_id)
267 267 @project ||= @issue.project
268 268 end
269 269 if @project.nil?
270 270 render_404
271 271 return false
272 272 end
273 273 rescue ActiveRecord::RecordNotFound
274 274 render_404
275 275 end
276 276
277 277 def find_optional_project
278 278 if !params[:issue_id].blank?
279 279 @issue = Issue.find(params[:issue_id])
280 280 @project = @issue.project
281 281 elsif !params[:project_id].blank?
282 282 @project = Project.find(params[:project_id])
283 283 end
284 284 end
285 285
286 286 # Retrieves the date range based on predefined ranges or specific from/to param dates
287 287 def retrieve_date_range
288 288 @free_period = false
289 289 @from, @to = nil, nil
290 290
291 291 if params[:period_type] == '1' || (params[:period_type].nil? && !params[:period].nil?)
292 292 case params[:period].to_s
293 293 when 'today'
294 294 @from = @to = Date.today
295 295 when 'yesterday'
296 296 @from = @to = Date.today - 1
297 297 when 'current_week'
298 298 @from = Date.today - (Date.today.cwday - 1)%7
299 299 @to = @from + 6
300 300 when 'last_week'
301 301 @from = Date.today - 7 - (Date.today.cwday - 1)%7
302 302 @to = @from + 6
303 303 when '7_days'
304 304 @from = Date.today - 7
305 305 @to = Date.today
306 306 when 'current_month'
307 307 @from = Date.civil(Date.today.year, Date.today.month, 1)
308 308 @to = (@from >> 1) - 1
309 309 when 'last_month'
310 310 @from = Date.civil(Date.today.year, Date.today.month, 1) << 1
311 311 @to = (@from >> 1) - 1
312 312 when '30_days'
313 313 @from = Date.today - 30
314 314 @to = Date.today
315 315 when 'current_year'
316 316 @from = Date.civil(Date.today.year, 1, 1)
317 317 @to = Date.civil(Date.today.year, 12, 31)
318 318 end
319 319 elsif params[:period_type] == '2' || (params[:period_type].nil? && (!params[:from].nil? || !params[:to].nil?))
320 320 begin; @from = params[:from].to_s.to_date unless params[:from].blank?; rescue; end
321 321 begin; @to = params[:to].to_s.to_date unless params[:to].blank?; rescue; end
322 322 @free_period = true
323 323 else
324 324 # default
325 325 end
326 326
327 327 @from, @to = @to, @from if @from && @to && @from > @to
328 328 end
329 329
330 330 def parse_params_for_bulk_time_entry_attributes(params)
331 331 attributes = (params[:time_entry] || {}).reject {|k,v| v.blank?}
332 332 attributes.keys.each {|k| attributes[k] = '' if attributes[k] == 'none'}
333 333 attributes[:custom_field_values].reject! {|k,v| v.blank?} if attributes[:custom_field_values]
334 334 attributes
335 335 end
336 336 end
Show file before | Show file after | Hide comments
@@ -1,117 +1,120
1 1 # Redmine - project management software
2 2 # Copyright (C) 2006-2011 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class TimeEntry < ActiveRecord::Base
19 include Redmine::SafeAttributes
19 20 # could have used polymorphic association
20 21 # project association here allows easy loading of time entries at project level with one database trip
21 22 belongs_to :project
22 23 belongs_to :issue
23 24 belongs_to :user
24 25 belongs_to :activity, :class_name => 'TimeEntryActivity', :foreign_key => 'activity_id'
25 26
26 27 attr_protected :project_id, :user_id, :tyear, :tmonth, :tweek
27 28
28 29 acts_as_customizable
29 30 acts_as_event :title => Proc.new {|o| "#{l_hours(o.hours)} (#{(o.issue || o.project).event_title})"},
30 31 :url => Proc.new {|o| {:controller => 'timelog', :action => 'index', :project_id => o.project, :issue_id => o.issue}},
31 32 :author => :user,
32 33 :description => :comments
33 34
34 35 acts_as_activity_provider :timestamp => "#{table_name}.created_on",
35 36 :author_key => :user_id,
36 37 :find_options => {:include => :project}
37 38
38 39 validates_presence_of :user_id, :activity_id, :project_id, :hours, :spent_on
39 40 validates_numericality_of :hours, :allow_nil => true, :message => :invalid
40 41 validates_length_of :comments, :maximum => 255, :allow_nil => true
41 42 before_validation :set_project_if_nil
42 43 validate :validate_time_entry
43 44
44 45 named_scope :visible, lambda {|*args| {
45 46 :include => :project,
46 47 :conditions => Project.allowed_to_condition(args.shift || User.current, :view_time_entries, *args)
47 48 }}
48 49 named_scope :on_issue, lambda {|issue| {
49 50 :include => :issue,
50 51 :conditions => "#{Issue.table_name}.root_id = #{issue.root_id} AND #{Issue.table_name}.lft >= #{issue.lft} AND #{Issue.table_name}.rgt <= #{issue.rgt}"
51 52 }}
52 53 named_scope :on_project, lambda {|project, include_subprojects| {
53 54 :include => :project,
54 55 :conditions => project.project_condition(include_subprojects)
55 56 }}
56 57 named_scope :spent_between, lambda {|from, to|
57 58 if from && to
58 59 {:conditions => ["#{TimeEntry.table_name}.spent_on BETWEEN ? AND ?", from, to]}
59 60 elsif from
60 61 {:conditions => ["#{TimeEntry.table_name}.spent_on >= ?", from]}
61 62 elsif to
62 63 {:conditions => ["#{TimeEntry.table_name}.spent_on <= ?", to]}
63 64 else
64 65 {}
65 66 end
66 67 }
67 68
69 safe_attributes 'hours', 'comments', 'issue_id', 'activity_id', 'spent_on', 'custom_field_values'
70
68 71 def initialize(attributes=nil, *args)
69 72 super
70 73 if new_record? && self.activity.nil?
71 74 if default_activity = TimeEntryActivity.default
72 75 self.activity_id = default_activity.id
73 76 end
74 77 self.hours = nil if hours == 0
75 78 end
76 79 end
77 80
78 81 def set_project_if_nil
79 82 self.project = issue.project if issue && project.nil?
80 83 end
81 84
82 85 def validate_time_entry
83 86 errors.add :hours, :invalid if hours && (hours < 0 || hours >= 1000)
84 87 errors.add :project_id, :invalid if project.nil?
85 88 errors.add :issue_id, :invalid if (issue_id && !issue) || (issue && project!=issue.project)
86 89 end
87 90
88 91 def hours=(h)
89 92 write_attribute :hours, (h.is_a?(String) ? (h.to_hours || h) : h)
90 93 end
91 94
92 95 def hours
93 96 h = read_attribute(:hours)
94 97 if h.is_a?(Float)
95 98 h.round(2)
96 99 else
97 100 h
98 101 end
99 102 end
100 103
101 104 # tyear, tmonth, tweek assigned where setting spent_on attributes
102 105 # these attributes make time aggregations easier
103 106 def spent_on=(date)
104 107 super
105 108 if spent_on.is_a?(Time)
106 109 self.spent_on = spent_on.to_date
107 110 end
108 111 self.tyear = spent_on ? spent_on.year : nil
109 112 self.tmonth = spent_on ? spent_on.month : nil
110 113 self.tweek = spent_on ? Date.civil(spent_on.year, spent_on.month, spent_on.day).cweek : nil
111 114 end
112 115
113 116 # Returns true if the time entry can be edited by usr, otherwise false
114 117 def editable_by?(usr)
115 118 (usr == user && usr.allowed_to?(:edit_own_time_entries, project)) || usr.allowed_to?(:edit_time_entries, project)
116 119 end
117 120 end
General Comments 0
You need to be logged in to leave comments. Login now