##// END OF EJS Templates
jro_apps » redmine
RSS
Prevent mass-assignment when adding/updating a document (#10390)....
Jean-Philippe Lang -
r9010:809d35d34bc4
parent child
Show More
Side by Side Unified
Context file:
r9010:809d35d34bc4 Loading diff...:
Show file before | Show file after | Hide comments
@@ -47,11 +47,13 class DocumentsController < ApplicationController
47 47 end
48 48
49 49 def new
50 @document = @project.documents.build(params[:document])
50 @document = @project.documents.build
51 @document.safe_attributes = params[:document]
51 52 end
52 53
53 54 def create
54 @document = @project.documents.build(params[:document])
55 @document = @project.documents.build
56 @document.safe_attributes = params[:document]
55 57 @document.save_attachments(params[:attachments])
56 58 if @document.save
57 59 render_attachment_warning_if_needed(@document)
@@ -66,7 +68,8 class DocumentsController < ApplicationController
66 68 end
67 69
68 70 def update
69 if request.put? and @document.update_attributes(params[:document])
71 @document.safe_attributes = params[:document]
72 if request.put? and @document.save
70 73 flash[:notice] = l(:notice_successful_update)
71 74 redirect_to :action => 'show', :id => @document
72 75 else
Show file before | Show file after | Hide comments
@@ -16,6 +16,7
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class Document < ActiveRecord::Base
19 include Redmine::SafeAttributes
19 20 belongs_to :project
20 21 belongs_to :category, :class_name => "DocumentCategory", :foreign_key => "category_id"
21 22 acts_as_attachable :delete_permission => :manage_documents
@@ -32,6 +33,8 class Document < ActiveRecord::Base
32 33 named_scope :visible, lambda {|*args| { :include => :project,
33 34 :conditions => Project.allowed_to_condition(args.shift || User.current, :view_documents, *args) } }
34 35
36 safe_attributes 'category_id', 'title', 'description'
37
35 38 def visible?(user=User.current)
36 39 !user.nil? && user.allowed_to?(:view_documents, project)
37 40 end
General Comments 0
You need to be logged in to leave comments. Login now