jro_apps/redmine Commit - r9012:2c6ad7525aa7

Prevent mass-assignment when adding a project member (#10390)....

Jean-Philippe Lang -

r9012:2c6ad7525aa7

parent child

Context file:

r9012:2c6ad7525aa7

app/controllers/members_controller.rb +5 -3

               def create
                 members = []
-                if params[:membership] && params[:membership][:user_ids]
+                if params[:membership]
+                  if params[:membership][:user_ids]
                     attrs = params[:membership].dup
                     user_ids = attrs.delete(:user_ids)
                     user_ids.each do |user_id|
-                    members << Member.new(attrs.merge(:user_id => user_id))
+                      members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => user_id)
                     end
                   else
-                  members << Member.new(params[:membership])
+                    members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => params[:membership][:user_id])
                   end
                   @project.members << members
+                end
                 respond_to do |format|
                   if members.present? && members.all? {|m| m.valid? }

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages