jro_apps/redmine Commit - r9013:286bda14f14d

Prevent mass-assignment when adding/updating a forum message (#10390)....

Jean-Philippe Lang -

r9013:286bda14f14d

parent child

Context file:

r9013:286bda14f14d

Collapse all files

app/controllers/messages_controller.rb +6 -11

               # Create a new topic
               def new
-                @message = Message.new(params[:message])
+                @message = Message.new
                 @message.author = User.current
                 @message.board = @board
-                if params[:message] && User.current.allowed_to?(:edit_messages, @project)
+                @message.safe_attributes = params[:message]
-                  @message.locked = params[:message]['locked']
-                  @message.sticky = params[:message]['sticky']
-                end
                 if request.post?
                   @message.save_attachments(params[:attachments])
                   if @message.save
               # Reply to a topic
               def reply
-                @reply = Message.new(params[:reply])
+                @reply = Message.new
                 @reply.author = User.current
                 @reply.board = @board
+                @reply.safe_attributes = params[:reply]
                 @topic.children << @reply
                 if !@reply.new_record?
                   call_hook(:controller_messages_reply_after_save, { :params => params, :message => @reply})
               # Edit a message
               def edit
                 (render_403; return false) unless @message.editable_by?(User.current)
-                if params[:message]
+                @message.safe_attributes = params[:message]
-                  @message.locked = params[:message]['locked']
+                if request.post? && @message.save
-                  @message.sticky = params[:message]['sticky']
-                end
-                if request.post? && @message.update_attributes(params[:message])
                   attachments = Attachment.attach_files(@message, params[:attachments])
                   render_attachment_warning_if_needed(@message)
                   flash[:notice] = l(:notice_successful_update)

app/models/message.rb +7 0

             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             class Message < ActiveRecord::Base
+              include Redmine::SafeAttributes
               belongs_to :board
               belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
               acts_as_tree :counter_cache => :replies_count, :order => "#{Message.table_name}.created_on ASC"
               named_scope :visible, lambda {|*args| { :include => {:board => :project},
                                                       :conditions => Project.allowed_to_condition(args.shift || User.current, :view_messages, *args) } }
+              safe_attributes 'subject', 'content'
+              safe_attributes 'locked', 'sticky',
+                :if => lambda {|message, user|
+                  user.allowed_to?(:edit_messages, message.project)
+                }
               def visible?(user=User.current)
                 !user.nil? && user.allowed_to?(:view_messages, project)
               end

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages