##// END OF EJS Templates
jro_apps » redmine
RSS
Prevent mass-assignment when adding/updating an issue category (#10390)....
Jean-Philippe Lang -
r9011:460239d1f9ee
parent child
Show More
Side by Side Unified
Context file:
r9011:460239d1f9ee Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,122 +1,125
1 1 # Redmine - project management software
2 2 # Copyright (C) 2006-2011 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class IssueCategoriesController < ApplicationController
19 19 menu_item :settings
20 20 model_object IssueCategory
21 21 before_filter :find_model_object, :except => [:index, :new, :create]
22 22 before_filter :find_project_from_association, :except => [:index, :new, :create]
23 23 before_filter :find_project, :only => [:index, :new, :create]
24 24 before_filter :authorize
25 25 accept_api_auth :index, :show, :create, :update, :destroy
26 26
27 27 def index
28 28 respond_to do |format|
29 29 format.html { redirect_to :controller => 'projects', :action => 'settings', :tab => 'categories', :id => @project }
30 30 format.api { @categories = @project.issue_categories.all }
31 31 end
32 32 end
33 33
34 34 def show
35 35 respond_to do |format|
36 36 format.html { redirect_to :controller => 'projects', :action => 'settings', :tab => 'categories', :id => @project }
37 37 format.api
38 38 end
39 39 end
40 40
41 41 def new
42 @category = @project.issue_categories.build(params[:issue_category])
42 @category = @project.issue_categories.build
43 @category.safe_attributes = params[:issue_category]
43 44 end
44 45
45 46 def create
46 @category = @project.issue_categories.build(params[:issue_category])
47 @category = @project.issue_categories.build
48 @category.safe_attributes = params[:issue_category]
47 49 if @category.save
48 50 respond_to do |format|
49 51 format.html do
50 52 flash[:notice] = l(:notice_successful_create)
51 53 redirect_to :controller => 'projects', :action => 'settings', :tab => 'categories', :id => @project
52 54 end
53 55 format.js do
54 56 # IE doesn't support the replace_html rjs method for select box options
55 57 render(:update) {|page| page.replace "issue_category_id",
56 58 content_tag('select', content_tag('option') + options_from_collection_for_select(@project.issue_categories, 'id', 'name', @category.id), :id => 'issue_category_id', :name => 'issue[category_id]')
57 59 }
58 60 end
59 61 format.api { render :action => 'show', :status => :created, :location => issue_category_path(@category) }
60 62 end
61 63 else
62 64 respond_to do |format|
63 65 format.html { render :action => 'new'}
64 66 format.js do
65 67 render(:update) {|page| page.alert(@category.errors.full_messages.join('\n')) }
66 68 end
67 69 format.api { render_validation_errors(@category) }
68 70 end
69 71 end
70 72 end
71 73
72 74 def edit
73 75 end
74 76
75 77 def update
76 if @category.update_attributes(params[:issue_category])
78 @category.safe_attributes = params[:issue_category]
79 if @category.save
77 80 respond_to do |format|
78 81 format.html {
79 82 flash[:notice] = l(:notice_successful_update)
80 83 redirect_to :controller => 'projects', :action => 'settings', :tab => 'categories', :id => @project
81 84 }
82 85 format.api { head :ok }
83 86 end
84 87 else
85 88 respond_to do |format|
86 89 format.html { render :action => 'edit' }
87 90 format.api { render_validation_errors(@category) }
88 91 end
89 92 end
90 93 end
91 94
92 95 def destroy
93 96 @issue_count = @category.issues.size
94 97 if @issue_count == 0 || params[:todo] || api_request?
95 98 reassign_to = nil
96 99 if params[:reassign_to_id] && (params[:todo] == 'reassign' || params[:todo].blank?)
97 100 reassign_to = @project.issue_categories.find_by_id(params[:reassign_to_id])
98 101 end
99 102 @category.destroy(reassign_to)
100 103 respond_to do |format|
101 104 format.html { redirect_to :controller => 'projects', :action => 'settings', :id => @project, :tab => 'categories' }
102 105 format.api { head :ok }
103 106 end
104 107 return
105 108 end
106 109 @categories = @project.issue_categories - [@category]
107 110 end
108 111
109 112 private
110 113 # Wrap ApplicationController's find_model_object method to set
111 114 # @category instead of just @issue_category
112 115 def find_model_object
113 116 super
114 117 @category = @object
115 118 end
116 119
117 120 def find_project
118 121 @project = Project.find(params[:project_id])
119 122 rescue ActiveRecord::RecordNotFound
120 123 render_404
121 124 end
122 125 end
Show file before | Show file after | Hide comments
@@ -1,47 +1,48
1 1 # Redmine - project management software
2 2 # Copyright (C) 2006-2011 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class IssueCategory < ActiveRecord::Base
19 include Redmine::SafeAttributes
19 20 belongs_to :project
20 21 belongs_to :assigned_to, :class_name => 'Principal', :foreign_key => 'assigned_to_id'
21 22 has_many :issues, :foreign_key => 'category_id', :dependent => :nullify
22 23
23 24 validates_presence_of :name
24 25 validates_uniqueness_of :name, :scope => [:project_id]
25 26 validates_length_of :name, :maximum => 30
26 27
27 attr_protected :project_id
28 safe_attributes 'name', 'assigned_to_id'
28 29
29 30 named_scope :named, lambda {|arg| { :conditions => ["LOWER(#{table_name}.name) = LOWER(?)", arg.to_s.strip]}}
30 31
31 32 alias :destroy_without_reassign :destroy
32 33
33 34 # Destroy the category
34 35 # If a category is specified, issues are reassigned to this category
35 36 def destroy(reassign_to = nil)
36 37 if reassign_to && reassign_to.is_a?(IssueCategory) && reassign_to.project == self.project
37 38 Issue.update_all("category_id = #{reassign_to.id}", "category_id = #{id}")
38 39 end
39 40 destroy_without_reassign
40 41 end
41 42
42 43 def <=>(category)
43 44 name <=> category.name
44 45 end
45 46
46 47 def to_s; name end
47 48 end
General Comments 0
You need to be logged in to leave comments. Login now