##// END OF EJS Templates
jro_apps » redmine
RSS
Prevent mass-assignment when adding a project member (#10390)....
Jean-Philippe Lang -
r9012:2c6ad7525aa7
parent child
Show More
Side by Side Unified
Context file:
r9012:2c6ad7525aa7 Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,142 +1,144
1 1 # Redmine - project management software
2 2 # Copyright (C) 2006-2011 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class MembersController < ApplicationController
19 19 model_object Member
20 20 before_filter :find_model_object, :except => [:index, :create, :autocomplete]
21 21 before_filter :find_project_from_association, :except => [:index, :create, :autocomplete]
22 22 before_filter :find_project_by_project_id, :only => [:index, :create, :autocomplete]
23 23 before_filter :authorize
24 24 accept_api_auth :index, :show, :create, :update, :destroy
25 25
26 26 def index
27 27 @offset, @limit = api_offset_and_limit
28 28 @member_count = @project.member_principals.count
29 29 @member_pages = Paginator.new self, @member_count, @limit, params['page']
30 30 @offset ||= @member_pages.current.offset
31 31 @members = @project.member_principals.all(
32 32 :order => "#{Member.table_name}.id",
33 33 :limit => @limit,
34 34 :offset => @offset
35 35 )
36 36
37 37 respond_to do |format|
38 38 format.html { head 406 }
39 39 format.api
40 40 end
41 41 end
42 42
43 43 def show
44 44 respond_to do |format|
45 45 format.html { head 406 }
46 46 format.api
47 47 end
48 48 end
49 49
50 50 def create
51 51 members = []
52 if params[:membership] && params[:membership][:user_ids]
53 attrs = params[:membership].dup
54 user_ids = attrs.delete(:user_ids)
55 user_ids.each do |user_id|
56 members << Member.new(attrs.merge(:user_id => user_id))
52 if params[:membership]
53 if params[:membership][:user_ids]
54 attrs = params[:membership].dup
55 user_ids = attrs.delete(:user_ids)
56 user_ids.each do |user_id|
57 members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => user_id)
58 end
59 else
60 members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => params[:membership][:user_id])
57 61 end
58 else
59 members << Member.new(params[:membership])
62 @project.members << members
60 63 end
61 @project.members << members
62 64
63 65 respond_to do |format|
64 66 if members.present? && members.all? {|m| m.valid? }
65 67 format.html { redirect_to :controller => 'projects', :action => 'settings', :tab => 'members', :id => @project }
66 68 format.js {
67 69 render(:update) {|page|
68 70 page.replace_html "tab-content-members", :partial => 'projects/settings/members'
69 71 page << 'hideOnLoad()'
70 72 members.each {|member| page.visual_effect(:highlight, "member-#{member.id}") }
71 73 }
72 74 }
73 75 format.api {
74 76 @member = members.first
75 77 render :action => 'show', :status => :created, :location => membership_url(@member)
76 78 }
77 79 else
78 80 format.js {
79 81 render(:update) {|page|
80 82 errors = members.collect {|m|
81 83 m.errors.full_messages
82 84 }.flatten.uniq
83 85
84 86 page.alert(l(:notice_failed_to_save_members, :errors => errors.join(', ')))
85 87 }
86 88 }
87 89 format.api { render_validation_errors(members.first) }
88 90 end
89 91 end
90 92 end
91 93
92 94 def update
93 95 if params[:membership]
94 96 @member.role_ids = params[:membership][:role_ids]
95 97 end
96 98 saved = @member.save
97 99 respond_to do |format|
98 100 format.html { redirect_to :controller => 'projects', :action => 'settings', :tab => 'members', :id => @project }
99 101 format.js {
100 102 render(:update) {|page|
101 103 page.replace_html "tab-content-members", :partial => 'projects/settings/members'
102 104 page << 'hideOnLoad()'
103 105 page.visual_effect(:highlight, "member-#{@member.id}")
104 106 }
105 107 }
106 108 format.api {
107 109 if saved
108 110 head :ok
109 111 else
110 112 render_validation_errors(@member)
111 113 end
112 114 }
113 115 end
114 116 end
115 117
116 118 def destroy
117 119 if request.delete? && @member.deletable?
118 120 @member.destroy
119 121 end
120 122 respond_to do |format|
121 123 format.html { redirect_to :controller => 'projects', :action => 'settings', :tab => 'members', :id => @project }
122 124 format.js { render(:update) {|page|
123 125 page.replace_html "tab-content-members", :partial => 'projects/settings/members'
124 126 page << 'hideOnLoad()'
125 127 }
126 128 }
127 129 format.api {
128 130 if @member.destroyed?
129 131 head :ok
130 132 else
131 133 head :unprocessable_entity
132 134 end
133 135 }
134 136 end
135 137 end
136 138
137 139 def autocomplete
138 140 @principals = Principal.active.not_member_of(@project).like(params[:q]).all(:limit => 100)
139 141 render :layout => false
140 142 end
141 143
142 144 end
General Comments 0
You need to be logged in to leave comments. Login now