##// END OF EJS Templates
jro_apps » redmine
RSS
Prevent mass-assignment when adding/updating a document (#10390)....
Jean-Philippe Lang -
r9010:809d35d34bc4
parent child
Show More
Side by Side Unified
Context file:
r9010:809d35d34bc4 Loading diff...:
Show file before | Show file after | Hide comments
@@ -47,11 +47,13 class DocumentsController < ApplicationController
47 end
47 end
48
48
49 def new
49 def new
50 @document = @project.documents.build(params[:document])
50 @document = @project.documents.build
51 @document.safe_attributes = params[:document]
51 end
52 end
52
53
53 def create
54 def create
54 @document = @project.documents.build(params[:document])
55 @document = @project.documents.build
56 @document.safe_attributes = params[:document]
55 @document.save_attachments(params[:attachments])
57 @document.save_attachments(params[:attachments])
56 if @document.save
58 if @document.save
57 render_attachment_warning_if_needed(@document)
59 render_attachment_warning_if_needed(@document)
@@ -66,7 +68,8 class DocumentsController < ApplicationController
66 end
68 end
67
69
68 def update
70 def update
69 if request.put? and @document.update_attributes(params[:document])
71 @document.safe_attributes = params[:document]
72 if request.put? and @document.save
70 flash[:notice] = l(:notice_successful_update)
73 flash[:notice] = l(:notice_successful_update)
71 redirect_to :action => 'show', :id => @document
74 redirect_to :action => 'show', :id => @document
72 else
75 else
Show file before | Show file after | Hide comments
@@ -16,6 +16,7
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17
17
18 class Document < ActiveRecord::Base
18 class Document < ActiveRecord::Base
19 include Redmine::SafeAttributes
19 belongs_to :project
20 belongs_to :project
20 belongs_to :category, :class_name => "DocumentCategory", :foreign_key => "category_id"
21 belongs_to :category, :class_name => "DocumentCategory", :foreign_key => "category_id"
21 acts_as_attachable :delete_permission => :manage_documents
22 acts_as_attachable :delete_permission => :manage_documents
@@ -32,6 +33,8 class Document < ActiveRecord::Base
32 named_scope :visible, lambda {|*args| { :include => :project,
33 named_scope :visible, lambda {|*args| { :include => :project,
33 :conditions => Project.allowed_to_condition(args.shift || User.current, :view_documents, *args) } }
34 :conditions => Project.allowed_to_condition(args.shift || User.current, :view_documents, *args) } }
34
35
36 safe_attributes 'category_id', 'title', 'description'
37
35 def visible?(user=User.current)
38 def visible?(user=User.current)
36 !user.nil? && user.allowed_to?(:view_documents, project)
39 !user.nil? && user.allowed_to?(:view_documents, project)
37 end
40 end
General Comments 0
You need to be logged in to leave comments. Login now