##// END OF EJS Templates
jro_apps » redmine
RSS
Prevent mass-assignment when adding a project member (#10390)....
Jean-Philippe Lang -
r9012:2c6ad7525aa7
parent child
Show More
Side by Side Unified
Context file:
r9012:2c6ad7525aa7 Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,142 +1,144
1 # Redmine - project management software
1 # Redmine - project management software
2 # Copyright (C) 2006-2011 Jean-Philippe Lang
2 # Copyright (C) 2006-2011 Jean-Philippe Lang
3 #
3 #
4 # This program is free software; you can redistribute it and/or
4 # This program is free software; you can redistribute it and/or
5 # modify it under the terms of the GNU General Public License
5 # modify it under the terms of the GNU General Public License
6 # as published by the Free Software Foundation; either version 2
6 # as published by the Free Software Foundation; either version 2
7 # of the License, or (at your option) any later version.
7 # of the License, or (at your option) any later version.
8 #
8 #
9 # This program is distributed in the hope that it will be useful,
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
12 # GNU General Public License for more details.
13 #
13 #
14 # You should have received a copy of the GNU General Public License
14 # You should have received a copy of the GNU General Public License
15 # along with this program; if not, write to the Free Software
15 # along with this program; if not, write to the Free Software
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17
17
18 class MembersController < ApplicationController
18 class MembersController < ApplicationController
19 model_object Member
19 model_object Member
20 before_filter :find_model_object, :except => [:index, :create, :autocomplete]
20 before_filter :find_model_object, :except => [:index, :create, :autocomplete]
21 before_filter :find_project_from_association, :except => [:index, :create, :autocomplete]
21 before_filter :find_project_from_association, :except => [:index, :create, :autocomplete]
22 before_filter :find_project_by_project_id, :only => [:index, :create, :autocomplete]
22 before_filter :find_project_by_project_id, :only => [:index, :create, :autocomplete]
23 before_filter :authorize
23 before_filter :authorize
24 accept_api_auth :index, :show, :create, :update, :destroy
24 accept_api_auth :index, :show, :create, :update, :destroy
25
25
26 def index
26 def index
27 @offset, @limit = api_offset_and_limit
27 @offset, @limit = api_offset_and_limit
28 @member_count = @project.member_principals.count
28 @member_count = @project.member_principals.count
29 @member_pages = Paginator.new self, @member_count, @limit, params['page']
29 @member_pages = Paginator.new self, @member_count, @limit, params['page']
30 @offset ||= @member_pages.current.offset
30 @offset ||= @member_pages.current.offset
31 @members = @project.member_principals.all(
31 @members = @project.member_principals.all(
32 :order => "#{Member.table_name}.id",
32 :order => "#{Member.table_name}.id",
33 :limit => @limit,
33 :limit => @limit,
34 :offset => @offset
34 :offset => @offset
35 )
35 )
36
36
37 respond_to do |format|
37 respond_to do |format|
38 format.html { head 406 }
38 format.html { head 406 }
39 format.api
39 format.api
40 end
40 end
41 end
41 end
42
42
43 def show
43 def show
44 respond_to do |format|
44 respond_to do |format|
45 format.html { head 406 }
45 format.html { head 406 }
46 format.api
46 format.api
47 end
47 end
48 end
48 end
49
49
50 def create
50 def create
51 members = []
51 members = []
52 if params[:membership] && params[:membership][:user_ids]
52 if params[:membership]
53 if params[:membership][:user_ids]
53 attrs = params[:membership].dup
54 attrs = params[:membership].dup
54 user_ids = attrs.delete(:user_ids)
55 user_ids = attrs.delete(:user_ids)
55 user_ids.each do |user_id|
56 user_ids.each do |user_id|
56 members << Member.new(attrs.merge(:user_id => user_id))
57 members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => user_id)
57 end
58 end
58 else
59 else
59 members << Member.new(params[:membership])
60 members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => params[:membership][:user_id])
60 end
61 end
61 @project.members << members
62 @project.members << members
63 end
62
64
63 respond_to do |format|
65 respond_to do |format|
64 if members.present? && members.all? {|m| m.valid? }
66 if members.present? && members.all? {|m| m.valid? }
65 format.html { redirect_to :controller => 'projects', :action => 'settings', :tab => 'members', :id => @project }
67 format.html { redirect_to :controller => 'projects', :action => 'settings', :tab => 'members', :id => @project }
66 format.js {
68 format.js {
67 render(:update) {|page|
69 render(:update) {|page|
68 page.replace_html "tab-content-members", :partial => 'projects/settings/members'
70 page.replace_html "tab-content-members", :partial => 'projects/settings/members'
69 page << 'hideOnLoad()'
71 page << 'hideOnLoad()'
70 members.each {|member| page.visual_effect(:highlight, "member-#{member.id}") }
72 members.each {|member| page.visual_effect(:highlight, "member-#{member.id}") }
71 }
73 }
72 }
74 }
73 format.api {
75 format.api {
74 @member = members.first
76 @member = members.first
75 render :action => 'show', :status => :created, :location => membership_url(@member)
77 render :action => 'show', :status => :created, :location => membership_url(@member)
76 }
78 }
77 else
79 else
78 format.js {
80 format.js {
79 render(:update) {|page|
81 render(:update) {|page|
80 errors = members.collect {|m|
82 errors = members.collect {|m|
81 m.errors.full_messages
83 m.errors.full_messages
82 }.flatten.uniq
84 }.flatten.uniq
83
85
84 page.alert(l(:notice_failed_to_save_members, :errors => errors.join(', ')))
86 page.alert(l(:notice_failed_to_save_members, :errors => errors.join(', ')))
85 }
87 }
86 }
88 }
87 format.api { render_validation_errors(members.first) }
89 format.api { render_validation_errors(members.first) }
88 end
90 end
89 end
91 end
90 end
92 end
91
93
92 def update
94 def update
93 if params[:membership]
95 if params[:membership]
94 @member.role_ids = params[:membership][:role_ids]
96 @member.role_ids = params[:membership][:role_ids]
95 end
97 end
96 saved = @member.save
98 saved = @member.save
97 respond_to do |format|
99 respond_to do |format|
98 format.html { redirect_to :controller => 'projects', :action => 'settings', :tab => 'members', :id => @project }
100 format.html { redirect_to :controller => 'projects', :action => 'settings', :tab => 'members', :id => @project }
99 format.js {
101 format.js {
100 render(:update) {|page|
102 render(:update) {|page|
101 page.replace_html "tab-content-members", :partial => 'projects/settings/members'
103 page.replace_html "tab-content-members", :partial => 'projects/settings/members'
102 page << 'hideOnLoad()'
104 page << 'hideOnLoad()'
103 page.visual_effect(:highlight, "member-#{@member.id}")
105 page.visual_effect(:highlight, "member-#{@member.id}")
104 }
106 }
105 }
107 }
106 format.api {
108 format.api {
107 if saved
109 if saved
108 head :ok
110 head :ok
109 else
111 else
110 render_validation_errors(@member)
112 render_validation_errors(@member)
111 end
113 end
112 }
114 }
113 end
115 end
114 end
116 end
115
117
116 def destroy
118 def destroy
117 if request.delete? && @member.deletable?
119 if request.delete? && @member.deletable?
118 @member.destroy
120 @member.destroy
119 end
121 end
120 respond_to do |format|
122 respond_to do |format|
121 format.html { redirect_to :controller => 'projects', :action => 'settings', :tab => 'members', :id => @project }
123 format.html { redirect_to :controller => 'projects', :action => 'settings', :tab => 'members', :id => @project }
122 format.js { render(:update) {|page|
124 format.js { render(:update) {|page|
123 page.replace_html "tab-content-members", :partial => 'projects/settings/members'
125 page.replace_html "tab-content-members", :partial => 'projects/settings/members'
124 page << 'hideOnLoad()'
126 page << 'hideOnLoad()'
125 }
127 }
126 }
128 }
127 format.api {
129 format.api {
128 if @member.destroyed?
130 if @member.destroyed?
129 head :ok
131 head :ok
130 else
132 else
131 head :unprocessable_entity
133 head :unprocessable_entity
132 end
134 end
133 }
135 }
134 end
136 end
135 end
137 end
136
138
137 def autocomplete
139 def autocomplete
138 @principals = Principal.active.not_member_of(@project).like(params[:q]).all(:limit => 100)
140 @principals = Principal.active.not_member_of(@project).like(params[:q]).all(:limit => 100)
139 render :layout => false
141 render :layout => false
140 end
142 end
141
143
142 end
144 end
General Comments 0
You need to be logged in to leave comments. Login now