##// END OF EJS Templates
jro_apps » redmine
RSS
Prevent mass-assignment when adding/updating an issue category (#10390)....
Jean-Philippe Lang -
r9011:460239d1f9ee
parent child
Show More
Side by Side Unified
Context file:
r9011:460239d1f9ee Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,122 +1,125
1 # Redmine - project management software
1 # Redmine - project management software
2 # Copyright (C) 2006-2011 Jean-Philippe Lang
2 # Copyright (C) 2006-2011 Jean-Philippe Lang
3 #
3 #
4 # This program is free software; you can redistribute it and/or
4 # This program is free software; you can redistribute it and/or
5 # modify it under the terms of the GNU General Public License
5 # modify it under the terms of the GNU General Public License
6 # as published by the Free Software Foundation; either version 2
6 # as published by the Free Software Foundation; either version 2
7 # of the License, or (at your option) any later version.
7 # of the License, or (at your option) any later version.
8 #
8 #
9 # This program is distributed in the hope that it will be useful,
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
12 # GNU General Public License for more details.
13 #
13 #
14 # You should have received a copy of the GNU General Public License
14 # You should have received a copy of the GNU General Public License
15 # along with this program; if not, write to the Free Software
15 # along with this program; if not, write to the Free Software
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17
17
18 class IssueCategoriesController < ApplicationController
18 class IssueCategoriesController < ApplicationController
19 menu_item :settings
19 menu_item :settings
20 model_object IssueCategory
20 model_object IssueCategory
21 before_filter :find_model_object, :except => [:index, :new, :create]
21 before_filter :find_model_object, :except => [:index, :new, :create]
22 before_filter :find_project_from_association, :except => [:index, :new, :create]
22 before_filter :find_project_from_association, :except => [:index, :new, :create]
23 before_filter :find_project, :only => [:index, :new, :create]
23 before_filter :find_project, :only => [:index, :new, :create]
24 before_filter :authorize
24 before_filter :authorize
25 accept_api_auth :index, :show, :create, :update, :destroy
25 accept_api_auth :index, :show, :create, :update, :destroy
26
26
27 def index
27 def index
28 respond_to do |format|
28 respond_to do |format|
29 format.html { redirect_to :controller => 'projects', :action => 'settings', :tab => 'categories', :id => @project }
29 format.html { redirect_to :controller => 'projects', :action => 'settings', :tab => 'categories', :id => @project }
30 format.api { @categories = @project.issue_categories.all }
30 format.api { @categories = @project.issue_categories.all }
31 end
31 end
32 end
32 end
33
33
34 def show
34 def show
35 respond_to do |format|
35 respond_to do |format|
36 format.html { redirect_to :controller => 'projects', :action => 'settings', :tab => 'categories', :id => @project }
36 format.html { redirect_to :controller => 'projects', :action => 'settings', :tab => 'categories', :id => @project }
37 format.api
37 format.api
38 end
38 end
39 end
39 end
40
40
41 def new
41 def new
42 @category = @project.issue_categories.build(params[:issue_category])
42 @category = @project.issue_categories.build
43 @category.safe_attributes = params[:issue_category]
43 end
44 end
44
45
45 def create
46 def create
46 @category = @project.issue_categories.build(params[:issue_category])
47 @category = @project.issue_categories.build
48 @category.safe_attributes = params[:issue_category]
47 if @category.save
49 if @category.save
48 respond_to do |format|
50 respond_to do |format|
49 format.html do
51 format.html do
50 flash[:notice] = l(:notice_successful_create)
52 flash[:notice] = l(:notice_successful_create)
51 redirect_to :controller => 'projects', :action => 'settings', :tab => 'categories', :id => @project
53 redirect_to :controller => 'projects', :action => 'settings', :tab => 'categories', :id => @project
52 end
54 end
53 format.js do
55 format.js do
54 # IE doesn't support the replace_html rjs method for select box options
56 # IE doesn't support the replace_html rjs method for select box options
55 render(:update) {|page| page.replace "issue_category_id",
57 render(:update) {|page| page.replace "issue_category_id",
56 content_tag('select', content_tag('option') + options_from_collection_for_select(@project.issue_categories, 'id', 'name', @category.id), :id => 'issue_category_id', :name => 'issue[category_id]')
58 content_tag('select', content_tag('option') + options_from_collection_for_select(@project.issue_categories, 'id', 'name', @category.id), :id => 'issue_category_id', :name => 'issue[category_id]')
57 }
59 }
58 end
60 end
59 format.api { render :action => 'show', :status => :created, :location => issue_category_path(@category) }
61 format.api { render :action => 'show', :status => :created, :location => issue_category_path(@category) }
60 end
62 end
61 else
63 else
62 respond_to do |format|
64 respond_to do |format|
63 format.html { render :action => 'new'}
65 format.html { render :action => 'new'}
64 format.js do
66 format.js do
65 render(:update) {|page| page.alert(@category.errors.full_messages.join('\n')) }
67 render(:update) {|page| page.alert(@category.errors.full_messages.join('\n')) }
66 end
68 end
67 format.api { render_validation_errors(@category) }
69 format.api { render_validation_errors(@category) }
68 end
70 end
69 end
71 end
70 end
72 end
71
73
72 def edit
74 def edit
73 end
75 end
74
76
75 def update
77 def update
76 if @category.update_attributes(params[:issue_category])
78 @category.safe_attributes = params[:issue_category]
79 if @category.save
77 respond_to do |format|
80 respond_to do |format|
78 format.html {
81 format.html {
79 flash[:notice] = l(:notice_successful_update)
82 flash[:notice] = l(:notice_successful_update)
80 redirect_to :controller => 'projects', :action => 'settings', :tab => 'categories', :id => @project
83 redirect_to :controller => 'projects', :action => 'settings', :tab => 'categories', :id => @project
81 }
84 }
82 format.api { head :ok }
85 format.api { head :ok }
83 end
86 end
84 else
87 else
85 respond_to do |format|
88 respond_to do |format|
86 format.html { render :action => 'edit' }
89 format.html { render :action => 'edit' }
87 format.api { render_validation_errors(@category) }
90 format.api { render_validation_errors(@category) }
88 end
91 end
89 end
92 end
90 end
93 end
91
94
92 def destroy
95 def destroy
93 @issue_count = @category.issues.size
96 @issue_count = @category.issues.size
94 if @issue_count == 0 || params[:todo] || api_request?
97 if @issue_count == 0 || params[:todo] || api_request?
95 reassign_to = nil
98 reassign_to = nil
96 if params[:reassign_to_id] && (params[:todo] == 'reassign' || params[:todo].blank?)
99 if params[:reassign_to_id] && (params[:todo] == 'reassign' || params[:todo].blank?)
97 reassign_to = @project.issue_categories.find_by_id(params[:reassign_to_id])
100 reassign_to = @project.issue_categories.find_by_id(params[:reassign_to_id])
98 end
101 end
99 @category.destroy(reassign_to)
102 @category.destroy(reassign_to)
100 respond_to do |format|
103 respond_to do |format|
101 format.html { redirect_to :controller => 'projects', :action => 'settings', :id => @project, :tab => 'categories' }
104 format.html { redirect_to :controller => 'projects', :action => 'settings', :id => @project, :tab => 'categories' }
102 format.api { head :ok }
105 format.api { head :ok }
103 end
106 end
104 return
107 return
105 end
108 end
106 @categories = @project.issue_categories - [@category]
109 @categories = @project.issue_categories - [@category]
107 end
110 end
108
111
109 private
112 private
110 # Wrap ApplicationController's find_model_object method to set
113 # Wrap ApplicationController's find_model_object method to set
111 # @category instead of just @issue_category
114 # @category instead of just @issue_category
112 def find_model_object
115 def find_model_object
113 super
116 super
114 @category = @object
117 @category = @object
115 end
118 end
116
119
117 def find_project
120 def find_project
118 @project = Project.find(params[:project_id])
121 @project = Project.find(params[:project_id])
119 rescue ActiveRecord::RecordNotFound
122 rescue ActiveRecord::RecordNotFound
120 render_404
123 render_404
121 end
124 end
122 end
125 end
Show file before | Show file after | Hide comments
@@ -1,47 +1,48
1 # Redmine - project management software
1 # Redmine - project management software
2 # Copyright (C) 2006-2011 Jean-Philippe Lang
2 # Copyright (C) 2006-2011 Jean-Philippe Lang
3 #
3 #
4 # This program is free software; you can redistribute it and/or
4 # This program is free software; you can redistribute it and/or
5 # modify it under the terms of the GNU General Public License
5 # modify it under the terms of the GNU General Public License
6 # as published by the Free Software Foundation; either version 2
6 # as published by the Free Software Foundation; either version 2
7 # of the License, or (at your option) any later version.
7 # of the License, or (at your option) any later version.
8 #
8 #
9 # This program is distributed in the hope that it will be useful,
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
12 # GNU General Public License for more details.
13 #
13 #
14 # You should have received a copy of the GNU General Public License
14 # You should have received a copy of the GNU General Public License
15 # along with this program; if not, write to the Free Software
15 # along with this program; if not, write to the Free Software
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17
17
18 class IssueCategory < ActiveRecord::Base
18 class IssueCategory < ActiveRecord::Base
19 include Redmine::SafeAttributes
19 belongs_to :project
20 belongs_to :project
20 belongs_to :assigned_to, :class_name => 'Principal', :foreign_key => 'assigned_to_id'
21 belongs_to :assigned_to, :class_name => 'Principal', :foreign_key => 'assigned_to_id'
21 has_many :issues, :foreign_key => 'category_id', :dependent => :nullify
22 has_many :issues, :foreign_key => 'category_id', :dependent => :nullify
22
23
23 validates_presence_of :name
24 validates_presence_of :name
24 validates_uniqueness_of :name, :scope => [:project_id]
25 validates_uniqueness_of :name, :scope => [:project_id]
25 validates_length_of :name, :maximum => 30
26 validates_length_of :name, :maximum => 30
26
27
27 attr_protected :project_id
28 safe_attributes 'name', 'assigned_to_id'
28
29
29 named_scope :named, lambda {|arg| { :conditions => ["LOWER(#{table_name}.name) = LOWER(?)", arg.to_s.strip]}}
30 named_scope :named, lambda {|arg| { :conditions => ["LOWER(#{table_name}.name) = LOWER(?)", arg.to_s.strip]}}
30
31
31 alias :destroy_without_reassign :destroy
32 alias :destroy_without_reassign :destroy
32
33
33 # Destroy the category
34 # Destroy the category
34 # If a category is specified, issues are reassigned to this category
35 # If a category is specified, issues are reassigned to this category
35 def destroy(reassign_to = nil)
36 def destroy(reassign_to = nil)
36 if reassign_to && reassign_to.is_a?(IssueCategory) && reassign_to.project == self.project
37 if reassign_to && reassign_to.is_a?(IssueCategory) && reassign_to.project == self.project
37 Issue.update_all("category_id = #{reassign_to.id}", "category_id = #{id}")
38 Issue.update_all("category_id = #{reassign_to.id}", "category_id = #{id}")
38 end
39 end
39 destroy_without_reassign
40 destroy_without_reassign
40 end
41 end
41
42
42 def <=>(category)
43 def <=>(category)
43 name <=> category.name
44 name <=> category.name
44 end
45 end
45
46
46 def to_s; name end
47 def to_s; name end
47 end
48 end
General Comments 0
You need to be logged in to leave comments. Login now