##// END OF EJS Templates
jro_apps » redmine
RSS
Use safe_attributes in GroupsController....
Jean-Philippe Lang -
r9563:9f531a438085
parent child
Show More
Side by Side Unified
Context file:
r9563:9f531a438085 Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,172 +1,174
1 # Redmine - project management software
1 # Redmine - project management software
2 # Copyright (C) 2006-2012 Jean-Philippe Lang
2 # Copyright (C) 2006-2012 Jean-Philippe Lang
3 #
3 #
4 # This program is free software; you can redistribute it and/or
4 # This program is free software; you can redistribute it and/or
5 # modify it under the terms of the GNU General Public License
5 # modify it under the terms of the GNU General Public License
6 # as published by the Free Software Foundation; either version 2
6 # as published by the Free Software Foundation; either version 2
7 # of the License, or (at your option) any later version.
7 # of the License, or (at your option) any later version.
8 #
8 #
9 # This program is distributed in the hope that it will be useful,
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
12 # GNU General Public License for more details.
13 #
13 #
14 # You should have received a copy of the GNU General Public License
14 # You should have received a copy of the GNU General Public License
15 # along with this program; if not, write to the Free Software
15 # along with this program; if not, write to the Free Software
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17
17
18 class GroupsController < ApplicationController
18 class GroupsController < ApplicationController
19 layout 'admin'
19 layout 'admin'
20
20
21 before_filter :require_admin
21 before_filter :require_admin
22
22
23 helper :custom_fields
23 helper :custom_fields
24
24
25 # GET /groups
25 # GET /groups
26 # GET /groups.xml
26 # GET /groups.xml
27 def index
27 def index
28 @groups = Group.find(:all, :order => 'lastname')
28 @groups = Group.find(:all, :order => 'lastname')
29
29
30 respond_to do |format|
30 respond_to do |format|
31 format.html # index.html.erb
31 format.html # index.html.erb
32 format.xml { render :xml => @groups }
32 format.xml { render :xml => @groups }
33 end
33 end
34 end
34 end
35
35
36 # GET /groups/1
36 # GET /groups/1
37 # GET /groups/1.xml
37 # GET /groups/1.xml
38 def show
38 def show
39 @group = Group.find(params[:id])
39 @group = Group.find(params[:id])
40
40
41 respond_to do |format|
41 respond_to do |format|
42 format.html # show.html.erb
42 format.html # show.html.erb
43 format.xml { render :xml => @group }
43 format.xml { render :xml => @group }
44 end
44 end
45 end
45 end
46
46
47 # GET /groups/new
47 # GET /groups/new
48 # GET /groups/new.xml
48 # GET /groups/new.xml
49 def new
49 def new
50 @group = Group.new
50 @group = Group.new
51
51
52 respond_to do |format|
52 respond_to do |format|
53 format.html # new.html.erb
53 format.html # new.html.erb
54 format.xml { render :xml => @group }
54 format.xml { render :xml => @group }
55 end
55 end
56 end
56 end
57
57
58 # GET /groups/1/edit
58 # GET /groups/1/edit
59 def edit
59 def edit
60 @group = Group.find(params[:id], :include => :projects)
60 @group = Group.find(params[:id], :include => :projects)
61 end
61 end
62
62
63 # POST /groups
63 # POST /groups
64 # POST /groups.xml
64 # POST /groups.xml
65 def create
65 def create
66 @group = Group.new(params[:group])
66 @group = Group.new
67 @group.safe_attributes = params[:group]
67
68
68 respond_to do |format|
69 respond_to do |format|
69 if @group.save
70 if @group.save
70 format.html {
71 format.html {
71 flash[:notice] = l(:notice_successful_create)
72 flash[:notice] = l(:notice_successful_create)
72 redirect_to(params[:continue] ? new_group_path : groups_path)
73 redirect_to(params[:continue] ? new_group_path : groups_path)
73 }
74 }
74 format.xml { render :xml => @group, :status => :created, :location => @group }
75 format.xml { render :xml => @group, :status => :created, :location => @group }
75 else
76 else
76 format.html { render :action => "new" }
77 format.html { render :action => "new" }
77 format.xml { render :xml => @group.errors, :status => :unprocessable_entity }
78 format.xml { render :xml => @group.errors, :status => :unprocessable_entity }
78 end
79 end
79 end
80 end
80 end
81 end
81
82
82 # PUT /groups/1
83 # PUT /groups/1
83 # PUT /groups/1.xml
84 # PUT /groups/1.xml
84 def update
85 def update
85 @group = Group.find(params[:id])
86 @group = Group.find(params[:id])
87 @group.safe_attributes = params[:group]
86
88
87 respond_to do |format|
89 respond_to do |format|
88 if @group.update_attributes(params[:group])
90 if @group.save
89 flash[:notice] = l(:notice_successful_update)
91 flash[:notice] = l(:notice_successful_update)
90 format.html { redirect_to(groups_path) }
92 format.html { redirect_to(groups_path) }
91 format.xml { head :ok }
93 format.xml { head :ok }
92 else
94 else
93 format.html { render :action => "edit" }
95 format.html { render :action => "edit" }
94 format.xml { render :xml => @group.errors, :status => :unprocessable_entity }
96 format.xml { render :xml => @group.errors, :status => :unprocessable_entity }
95 end
97 end
96 end
98 end
97 end
99 end
98
100
99 # DELETE /groups/1
101 # DELETE /groups/1
100 # DELETE /groups/1.xml
102 # DELETE /groups/1.xml
101 def destroy
103 def destroy
102 @group = Group.find(params[:id])
104 @group = Group.find(params[:id])
103 @group.destroy
105 @group.destroy
104
106
105 respond_to do |format|
107 respond_to do |format|
106 format.html { redirect_to(groups_url) }
108 format.html { redirect_to(groups_url) }
107 format.xml { head :ok }
109 format.xml { head :ok }
108 end
110 end
109 end
111 end
110
112
111 def add_users
113 def add_users
112 @group = Group.find(params[:id])
114 @group = Group.find(params[:id])
113 users = User.find_all_by_id(params[:user_ids])
115 users = User.find_all_by_id(params[:user_ids])
114 @group.users << users if request.post?
116 @group.users << users if request.post?
115 respond_to do |format|
117 respond_to do |format|
116 format.html { redirect_to :controller => 'groups', :action => 'edit', :id => @group, :tab => 'users' }
118 format.html { redirect_to :controller => 'groups', :action => 'edit', :id => @group, :tab => 'users' }
117 format.js {
119 format.js {
118 render(:update) {|page|
120 render(:update) {|page|
119 page.replace_html "tab-content-users", :partial => 'groups/users'
121 page.replace_html "tab-content-users", :partial => 'groups/users'
120 users.each {|user| page.visual_effect(:highlight, "user-#{user.id}") }
122 users.each {|user| page.visual_effect(:highlight, "user-#{user.id}") }
121 }
123 }
122 }
124 }
123 end
125 end
124 end
126 end
125
127
126 def remove_user
128 def remove_user
127 @group = Group.find(params[:id])
129 @group = Group.find(params[:id])
128 @group.users.delete(User.find(params[:user_id])) if request.delete?
130 @group.users.delete(User.find(params[:user_id])) if request.delete?
129 respond_to do |format|
131 respond_to do |format|
130 format.html { redirect_to :controller => 'groups', :action => 'edit', :id => @group, :tab => 'users' }
132 format.html { redirect_to :controller => 'groups', :action => 'edit', :id => @group, :tab => 'users' }
131 format.js { render(:update) {|page| page.replace_html "tab-content-users", :partial => 'groups/users'} }
133 format.js { render(:update) {|page| page.replace_html "tab-content-users", :partial => 'groups/users'} }
132 end
134 end
133 end
135 end
134
136
135 def autocomplete_for_user
137 def autocomplete_for_user
136 @group = Group.find(params[:id])
138 @group = Group.find(params[:id])
137 @users = User.active.not_in_group(@group).like(params[:q]).all(:limit => 100)
139 @users = User.active.not_in_group(@group).like(params[:q]).all(:limit => 100)
138 render :layout => false
140 render :layout => false
139 end
141 end
140
142
141 def edit_membership
143 def edit_membership
142 @group = Group.find(params[:id])
144 @group = Group.find(params[:id])
143 @membership = Member.edit_membership(params[:membership_id], params[:membership], @group)
145 @membership = Member.edit_membership(params[:membership_id], params[:membership], @group)
144 @membership.save if request.post?
146 @membership.save if request.post?
145 respond_to do |format|
147 respond_to do |format|
146 if @membership.valid?
148 if @membership.valid?
147 format.html { redirect_to :controller => 'groups', :action => 'edit', :id => @group, :tab => 'memberships' }
149 format.html { redirect_to :controller => 'groups', :action => 'edit', :id => @group, :tab => 'memberships' }
148 format.js {
150 format.js {
149 render(:update) {|page|
151 render(:update) {|page|
150 page.replace_html "tab-content-memberships", :partial => 'groups/memberships'
152 page.replace_html "tab-content-memberships", :partial => 'groups/memberships'
151 page.visual_effect(:highlight, "member-#{@membership.id}")
153 page.visual_effect(:highlight, "member-#{@membership.id}")
152 }
154 }
153 }
155 }
154 else
156 else
155 format.js {
157 format.js {
156 render(:update) {|page|
158 render(:update) {|page|
157 page.alert(l(:notice_failed_to_save_members, :errors => @membership.errors.full_messages.join(', ')))
159 page.alert(l(:notice_failed_to_save_members, :errors => @membership.errors.full_messages.join(', ')))
158 }
160 }
159 }
161 }
160 end
162 end
161 end
163 end
162 end
164 end
163
165
164 def destroy_membership
166 def destroy_membership
165 @group = Group.find(params[:id])
167 @group = Group.find(params[:id])
166 Member.find(params[:membership_id]).destroy if request.post?
168 Member.find(params[:membership_id]).destroy if request.post?
167 respond_to do |format|
169 respond_to do |format|
168 format.html { redirect_to :controller => 'groups', :action => 'edit', :id => @group, :tab => 'memberships' }
170 format.html { redirect_to :controller => 'groups', :action => 'edit', :id => @group, :tab => 'memberships' }
169 format.js { render(:update) {|page| page.replace_html "tab-content-memberships", :partial => 'groups/memberships'} }
171 format.js { render(:update) {|page| page.replace_html "tab-content-memberships", :partial => 'groups/memberships'} }
170 end
172 end
171 end
173 end
172 end
174 end
Show file before | Show file after | Hide comments
@@ -1,76 +1,83
1 # Redmine - project management software
1 # Redmine - project management software
2 # Copyright (C) 2006-2012 Jean-Philippe Lang
2 # Copyright (C) 2006-2012 Jean-Philippe Lang
3 #
3 #
4 # This program is free software; you can redistribute it and/or
4 # This program is free software; you can redistribute it and/or
5 # modify it under the terms of the GNU General Public License
5 # modify it under the terms of the GNU General Public License
6 # as published by the Free Software Foundation; either version 2
6 # as published by the Free Software Foundation; either version 2
7 # of the License, or (at your option) any later version.
7 # of the License, or (at your option) any later version.
8 #
8 #
9 # This program is distributed in the hope that it will be useful,
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
12 # GNU General Public License for more details.
13 #
13 #
14 # You should have received a copy of the GNU General Public License
14 # You should have received a copy of the GNU General Public License
15 # along with this program; if not, write to the Free Software
15 # along with this program; if not, write to the Free Software
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17
17
18 class Group < Principal
18 class Group < Principal
19 include Redmine::SafeAttributes
20
19 has_and_belongs_to_many :users, :after_add => :user_added,
21 has_and_belongs_to_many :users, :after_add => :user_added,
20 :after_remove => :user_removed
22 :after_remove => :user_removed
21
23
22 acts_as_customizable
24 acts_as_customizable
23
25
24 validates_presence_of :lastname
26 validates_presence_of :lastname
25 validates_uniqueness_of :lastname, :case_sensitive => false
27 validates_uniqueness_of :lastname, :case_sensitive => false
26 validates_length_of :lastname, :maximum => 30
28 validates_length_of :lastname, :maximum => 30
27
29
28 before_destroy :remove_references_before_destroy
30 before_destroy :remove_references_before_destroy
29
31
32 safe_attributes 'name',
33 'custom_field_values',
34 'custom_fields',
35 :if => lambda {|group, user| user.admin?}
36
30 def to_s
37 def to_s
31 lastname.to_s
38 lastname.to_s
32 end
39 end
33
40
34 def name
41 def name
35 lastname
42 lastname
36 end
43 end
37
44
38 def name=(arg)
45 def name=(arg)
39 self.lastname = arg
46 self.lastname = arg
40 end
47 end
41
48
42 def user_added(user)
49 def user_added(user)
43 members.each do |member|
50 members.each do |member|
44 next if member.project.nil?
51 next if member.project.nil?
45 user_member = Member.find_by_project_id_and_user_id(member.project_id, user.id) || Member.new(:project_id => member.project_id, :user_id => user.id)
52 user_member = Member.find_by_project_id_and_user_id(member.project_id, user.id) || Member.new(:project_id => member.project_id, :user_id => user.id)
46 member.member_roles.each do |member_role|
53 member.member_roles.each do |member_role|
47 user_member.member_roles << MemberRole.new(:role => member_role.role, :inherited_from => member_role.id)
54 user_member.member_roles << MemberRole.new(:role => member_role.role, :inherited_from => member_role.id)
48 end
55 end
49 user_member.save!
56 user_member.save!
50 end
57 end
51 end
58 end
52
59
53 def user_removed(user)
60 def user_removed(user)
54 members.each do |member|
61 members.each do |member|
55 MemberRole.find(:all, :include => :member,
62 MemberRole.find(:all, :include => :member,
56 :conditions => ["#{Member.table_name}.user_id = ? AND #{MemberRole.table_name}.inherited_from IN (?)", user.id, member.member_role_ids]).each(&:destroy)
63 :conditions => ["#{Member.table_name}.user_id = ? AND #{MemberRole.table_name}.inherited_from IN (?)", user.id, member.member_role_ids]).each(&:destroy)
57 end
64 end
58 end
65 end
59
66
60 def self.human_attribute_name(attribute_key_name, *args)
67 def self.human_attribute_name(attribute_key_name, *args)
61 attr_name = attribute_key_name.to_s
68 attr_name = attribute_key_name.to_s
62 if attr_name == 'lastname'
69 if attr_name == 'lastname'
63 attr_name = "name"
70 attr_name = "name"
64 end
71 end
65 super(attr_name, *args)
72 super(attr_name, *args)
66 end
73 end
67
74
68 private
75 private
69
76
70 # Removes references that are not handled by associations
77 # Removes references that are not handled by associations
71 def remove_references_before_destroy
78 def remove_references_before_destroy
72 return if self.id.nil?
79 return if self.id.nil?
73
80
74 Issue.update_all 'assigned_to_id = NULL', ['assigned_to_id = ?', id]
81 Issue.update_all 'assigned_to_id = NULL', ['assigned_to_id = ?', id]
75 end
82 end
76 end
83 end
General Comments 0
You need to be logged in to leave comments. Login now