jro_apps/redmine Commit - r14841:9473a373a50d

Verify assigned_to_id when assigning safe_attributes (#22127)....

Jean-Philippe Lang -

r14841:9473a373a50d

parent child

Context file:

r14841:9473a373a50d

Collapse all files

app/models/issue.rb +11 0

@@ -495,6 +495,17 class Issue < ActiveRecord::Base
495	if new_record? && !statuses_allowed.include?(status)	495	if new_record? && !statuses_allowed.include?(status)
496	self.status = statuses_allowed.first \|\| default_status	496	self.status = statuses_allowed.first \|\| default_status
497	end	497	end
		498	if (u = attrs.delete('assigned_to_id')) && safe_attribute?('assigned_to_id')
		499	if u.blank?
		500	self.assigned_to_id = nil
		501	else
		502	u = u.to_i
		503	if assignable_users.any?{\|assignable_user\| assignable_user.id == u}
		504	self.assigned_to_id = u
		505	end
		506	end
		507	end
		508
498		509
499	attrs = delete_unsafe_attributes(attrs, user)	510	attrs = delete_unsafe_attributes(attrs, user)
500	return if attrs.empty?	511	return if attrs.empty?

test/unit/issue_test.rb +34 0

@@ -790,6 +790,40 class IssueTest < ActiveSupport::TestCase
790	assert_nil issue.custom_field_value(cf2)	790	assert_nil issue.custom_field_value(cf2)
791	end	791	end
792		792
		793	def test_safe_attributes_should_ignore_unassignable_assignee
		794	issue = Issue.new(:project_id => 1, :tracker_id => 1, :author_id => 3,
		795	:status_id => 1, :priority => IssuePriority.all.first,
		796	:subject => 'test_create')
		797	assert issue.valid?
		798
		799	# locked user, not allowed
		800	issue.safe_attributes=({'assigned_to_id' => '5'})
		801	assert_nil issue.assigned_to_id
		802	# no member
		803	issue.safe_attributes=({'assigned_to_id' => '1'})
		804	assert_nil issue.assigned_to_id
		805	# user 2 is ok
		806	issue.safe_attributes=({'assigned_to_id' => '2'})
		807	assert_equal 2, issue.assigned_to_id
		808	assert issue.save
		809
		810	issue.reload
		811	assert_equal 2, issue.assigned_to_id
		812	issue.safe_attributes=({'assigned_to_id' => '5'})
		813	assert_equal 2, issue.assigned_to_id
		814	issue.safe_attributes=({'assigned_to_id' => '1'})
		815	assert_equal 2, issue.assigned_to_id
		816	# user 3 is also ok
		817	issue.safe_attributes=({'assigned_to_id' => '3'})
		818	assert_equal 3, issue.assigned_to_id
		819	assert issue.save
		820
		821	# removal of assignee
		822	issue.safe_attributes=({'assigned_to_id' => ''})
		823	assert_nil issue.assigned_to_id
		824	assert issue.save
		825	end
		826
793	def test_editable_custom_field_values_should_return_non_readonly_custom_values	827	def test_editable_custom_field_values_should_return_non_readonly_custom_values
794	cf1 = IssueCustomField.create!(:name => 'Writable field', :field_format => 'string',	828	cf1 = IssueCustomField.create!(:name => 'Writable field', :field_format => 'string',
795	:is_for_all => true, :tracker_ids => [1, 2])	829	:is_for_all => true, :tracker_ids => [1, 2])

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages