jro_apps/redmine Commit - r9012:2c6ad7525aa7

Prevent mass-assignment when adding a project member (#10390)....

Jean-Philippe Lang -

r9012:2c6ad7525aa7

parent child

Context file:

r9012:2c6ad7525aa7

app/controllers/members_controller.rb +5 -3

                def create
                  members = []
-                 if params[:membership] && params[:membership][:user_ids]
+                 if params[:membership]
+                   if params[:membership][:user_ids]
                    attrs = params[:membership].dup
                    user_ids = attrs.delete(:user_ids)
                    user_ids.each do |user_id|
-                     members << Member.new(attrs.merge(:user_id => user_id))
+                       members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => user_id)
                    end
                  else
-                   members << Member.new(params[:membership])
+                     members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => params[:membership][:user_id])
                  end
                  @project.members << members
+                 end
                  respond_to do |format|
                    if members.present? && members.all? {|m| m.valid? }

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages