##// END OF EJS Templates
jro_apps » redmine
RSS
Use safe_attributes in GroupsController....
Jean-Philippe Lang -
r9563:9f531a438085
parent child
Show More
Side by Side Unified
Context file:
r9563:9f531a438085 Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,172 +1,174
1 1 # Redmine - project management software
2 2 # Copyright (C) 2006-2012 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class GroupsController < ApplicationController
19 19 layout 'admin'
20 20
21 21 before_filter :require_admin
22 22
23 23 helper :custom_fields
24 24
25 25 # GET /groups
26 26 # GET /groups.xml
27 27 def index
28 28 @groups = Group.find(:all, :order => 'lastname')
29 29
30 30 respond_to do |format|
31 31 format.html # index.html.erb
32 32 format.xml { render :xml => @groups }
33 33 end
34 34 end
35 35
36 36 # GET /groups/1
37 37 # GET /groups/1.xml
38 38 def show
39 39 @group = Group.find(params[:id])
40 40
41 41 respond_to do |format|
42 42 format.html # show.html.erb
43 43 format.xml { render :xml => @group }
44 44 end
45 45 end
46 46
47 47 # GET /groups/new
48 48 # GET /groups/new.xml
49 49 def new
50 50 @group = Group.new
51 51
52 52 respond_to do |format|
53 53 format.html # new.html.erb
54 54 format.xml { render :xml => @group }
55 55 end
56 56 end
57 57
58 58 # GET /groups/1/edit
59 59 def edit
60 60 @group = Group.find(params[:id], :include => :projects)
61 61 end
62 62
63 63 # POST /groups
64 64 # POST /groups.xml
65 65 def create
66 @group = Group.new(params[:group])
66 @group = Group.new
67 @group.safe_attributes = params[:group]
67 68
68 69 respond_to do |format|
69 70 if @group.save
70 71 format.html {
71 72 flash[:notice] = l(:notice_successful_create)
72 73 redirect_to(params[:continue] ? new_group_path : groups_path)
73 74 }
74 75 format.xml { render :xml => @group, :status => :created, :location => @group }
75 76 else
76 77 format.html { render :action => "new" }
77 78 format.xml { render :xml => @group.errors, :status => :unprocessable_entity }
78 79 end
79 80 end
80 81 end
81 82
82 83 # PUT /groups/1
83 84 # PUT /groups/1.xml
84 85 def update
85 86 @group = Group.find(params[:id])
87 @group.safe_attributes = params[:group]
86 88
87 89 respond_to do |format|
88 if @group.update_attributes(params[:group])
90 if @group.save
89 91 flash[:notice] = l(:notice_successful_update)
90 92 format.html { redirect_to(groups_path) }
91 93 format.xml { head :ok }
92 94 else
93 95 format.html { render :action => "edit" }
94 96 format.xml { render :xml => @group.errors, :status => :unprocessable_entity }
95 97 end
96 98 end
97 99 end
98 100
99 101 # DELETE /groups/1
100 102 # DELETE /groups/1.xml
101 103 def destroy
102 104 @group = Group.find(params[:id])
103 105 @group.destroy
104 106
105 107 respond_to do |format|
106 108 format.html { redirect_to(groups_url) }
107 109 format.xml { head :ok }
108 110 end
109 111 end
110 112
111 113 def add_users
112 114 @group = Group.find(params[:id])
113 115 users = User.find_all_by_id(params[:user_ids])
114 116 @group.users << users if request.post?
115 117 respond_to do |format|
116 118 format.html { redirect_to :controller => 'groups', :action => 'edit', :id => @group, :tab => 'users' }
117 119 format.js {
118 120 render(:update) {|page|
119 121 page.replace_html "tab-content-users", :partial => 'groups/users'
120 122 users.each {|user| page.visual_effect(:highlight, "user-#{user.id}") }
121 123 }
122 124 }
123 125 end
124 126 end
125 127
126 128 def remove_user
127 129 @group = Group.find(params[:id])
128 130 @group.users.delete(User.find(params[:user_id])) if request.delete?
129 131 respond_to do |format|
130 132 format.html { redirect_to :controller => 'groups', :action => 'edit', :id => @group, :tab => 'users' }
131 133 format.js { render(:update) {|page| page.replace_html "tab-content-users", :partial => 'groups/users'} }
132 134 end
133 135 end
134 136
135 137 def autocomplete_for_user
136 138 @group = Group.find(params[:id])
137 139 @users = User.active.not_in_group(@group).like(params[:q]).all(:limit => 100)
138 140 render :layout => false
139 141 end
140 142
141 143 def edit_membership
142 144 @group = Group.find(params[:id])
143 145 @membership = Member.edit_membership(params[:membership_id], params[:membership], @group)
144 146 @membership.save if request.post?
145 147 respond_to do |format|
146 148 if @membership.valid?
147 149 format.html { redirect_to :controller => 'groups', :action => 'edit', :id => @group, :tab => 'memberships' }
148 150 format.js {
149 151 render(:update) {|page|
150 152 page.replace_html "tab-content-memberships", :partial => 'groups/memberships'
151 153 page.visual_effect(:highlight, "member-#{@membership.id}")
152 154 }
153 155 }
154 156 else
155 157 format.js {
156 158 render(:update) {|page|
157 159 page.alert(l(:notice_failed_to_save_members, :errors => @membership.errors.full_messages.join(', ')))
158 160 }
159 161 }
160 162 end
161 163 end
162 164 end
163 165
164 166 def destroy_membership
165 167 @group = Group.find(params[:id])
166 168 Member.find(params[:membership_id]).destroy if request.post?
167 169 respond_to do |format|
168 170 format.html { redirect_to :controller => 'groups', :action => 'edit', :id => @group, :tab => 'memberships' }
169 171 format.js { render(:update) {|page| page.replace_html "tab-content-memberships", :partial => 'groups/memberships'} }
170 172 end
171 173 end
172 174 end
Show file before | Show file after | Hide comments
@@ -1,76 +1,83
1 1 # Redmine - project management software
2 2 # Copyright (C) 2006-2012 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class Group < Principal
19 include Redmine::SafeAttributes
20
19 21 has_and_belongs_to_many :users, :after_add => :user_added,
20 22 :after_remove => :user_removed
21 23
22 24 acts_as_customizable
23 25
24 26 validates_presence_of :lastname
25 27 validates_uniqueness_of :lastname, :case_sensitive => false
26 28 validates_length_of :lastname, :maximum => 30
27 29
28 30 before_destroy :remove_references_before_destroy
29 31
32 safe_attributes 'name',
33 'custom_field_values',
34 'custom_fields',
35 :if => lambda {|group, user| user.admin?}
36
30 37 def to_s
31 38 lastname.to_s
32 39 end
33 40
34 41 def name
35 42 lastname
36 43 end
37 44
38 45 def name=(arg)
39 46 self.lastname = arg
40 47 end
41 48
42 49 def user_added(user)
43 50 members.each do |member|
44 51 next if member.project.nil?
45 52 user_member = Member.find_by_project_id_and_user_id(member.project_id, user.id) || Member.new(:project_id => member.project_id, :user_id => user.id)
46 53 member.member_roles.each do |member_role|
47 54 user_member.member_roles << MemberRole.new(:role => member_role.role, :inherited_from => member_role.id)
48 55 end
49 56 user_member.save!
50 57 end
51 58 end
52 59
53 60 def user_removed(user)
54 61 members.each do |member|
55 62 MemberRole.find(:all, :include => :member,
56 63 :conditions => ["#{Member.table_name}.user_id = ? AND #{MemberRole.table_name}.inherited_from IN (?)", user.id, member.member_role_ids]).each(&:destroy)
57 64 end
58 65 end
59 66
60 67 def self.human_attribute_name(attribute_key_name, *args)
61 68 attr_name = attribute_key_name.to_s
62 69 if attr_name == 'lastname'
63 70 attr_name = "name"
64 71 end
65 72 super(attr_name, *args)
66 73 end
67 74
68 75 private
69 76
70 77 # Removes references that are not handled by associations
71 78 def remove_references_before_destroy
72 79 return if self.id.nil?
73 80
74 81 Issue.update_all 'assigned_to_id = NULL', ['assigned_to_id = ?', id]
75 82 end
76 83 end
General Comments 0
You need to be logged in to leave comments. Login now