jro_apps/redmine Commit - r9012:2c6ad7525aa7

Prevent mass-assignment when adding a project member (#10390)....

Jean-Philippe Lang -

r9012:2c6ad7525aa7

parent child

Context file:

r9012:2c6ad7525aa7

app/controllers/members_controller.rb +10 -8

@@ -49,16 +49,18 class MembersController < ApplicationController
49		49
50	def create	50	def create
51	members = []	51	members = []
52	if params[:membership] && ~~params~~[~~:membership~~][~~:user_ids~~]	52	if params[:membership]
53	~~attrs~~ = params[:membership].~~dup~~	53	if params[:membership][:user_ids]
54	user_ids = attrs.delete(:user_ids)	54	attrs = params[:membership].dup
55	user_ids.~~each~~ do \|~~user_id~~\|	55	user_ids = attrs.delete(:user_ids)
56	members << Member.new(attrs.merge(:user_id => user_id))	56	user_ids.each do \|user_id\|
		57	members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => user_id)
		58	end
		59	else
		60	members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => params[:membership][:user_id])
57	end	61	end
58	else	62	@project.members << members
59	members << Member.new(params[:membership])
60	end	63	end
61	@project.members << members
62		64
63	respond_to do \|format\|	65	respond_to do \|format\|
64	if members.present? && members.all? {\|m\| m.valid? }	66	if members.present? && members.all? {\|m\| m.valid? }

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages