jro_apps/redmine Commit - r9012:2c6ad7525aa7

Prevent mass-assignment when adding a project member (#10390)....

Jean-Philippe Lang -

r9012:2c6ad7525aa7

parent child

Context file:

r9012:2c6ad7525aa7

app/controllers/members_controller.rb +10 -8

                def create
                  members = []
-                 if params[:membership] && params[:membership][:user_ids]
-                   attrs = params[:membership].dup
-                   user_ids = attrs.delete(:user_ids)
-                   user_ids.each do |user_id|
-                     members << Member.new(attrs.merge(:user_id => user_id))
+                 if params[:membership]
+                   if params[:membership][:user_ids]
+                     attrs = params[:membership].dup
+                     user_ids = attrs.delete(:user_ids)
+                     user_ids.each do |user_id|
+                       members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => user_id)
+                     end
+                   else
+                     members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => params[:membership][:user_id])
                    end
-                 else
-                   members << Member.new(params[:membership])
+                   @project.members << members
                  end
-                 @project.members << members
                  respond_to do |format|
                    if members.present? && members.all? {|m| m.valid? }

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages