jro_apps/redmine Commit - r4378:a4d7a99c22d9

Declare safe attributes for User and Projects models....

Jean-Philippe Lang -

r4378:a4d7a99c22d9

parent child

Context file:

r4378:a4d7a99c22d9

Collapse all files

app/controllers/my_controller.rb +1 -1

                 @user = User.current
                 @pref = @user.pref
                 if request.post?
-                  @user.attributes = params[:user]
+                  @user.safe_attributes = params[:user]
                   @user.mail_notification = params[:notification_option] || 'only_my_events'
                   @user.pref.attributes = params[:pref]
                   @user.pref[:no_self_notified] = (params[:no_self_notified] == '1')

app/controllers/projects_controller.rb +5 -3

               def create
                 @issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position")
                 @trackers = Tracker.all
-                @project = Project.new(params[:project])
+                @project = Project.new
+                @project.safe_attributes = params[:project]
                 @project.enabled_module_names = params[:enabled_modules] if params[:enabled_modules]
                 if validate_parent_id && @project.save
                   end
                 else
                   Mailer.with_deliveries(params[:notifications] == '1') do
-                    @project = Project.new(params[:project])
+                    @project = Project.new
+                    @project.safe_attributes = params[:project]
                     @project.enabled_module_names = params[:enabled_modules]
                     if validate_parent_id && @project.copy(@source_project, :only => params[:only])
                       @project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id')
               end
               def update
-                @project.attributes = params[:project]
+                @project.safe_attributes = params[:project]
                 if validate_parent_id && @project.save
                   @project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id')
                   respond_to do |format|

app/controllers/users_controller.rb +3 -2

                 @notification_options = User::MAIL_NOTIFICATION_OPTIONS
                 @notification_option = Setting.default_notification_option
-                @user = User.new(params[:user])
+                @user = User.new
+                @user.safe_attributes = params[:user]
                 @user.admin = params[:user][:admin] || false
                 @user.login = params[:user][:login]
                 @user.password, @user.password_confirmation = params[:password], params[:password_confirmation] unless @user.auth_source_id
                   @user.password, @user.password_confirmation = params[:password], params[:password_confirmation]
                 end
                 @user.group_ids = params[:user][:group_ids] if params[:user][:group_ids]
-                @user.attributes = params[:user]
+                @user.safe_attributes = params[:user]
                 # Was the account actived ? (do it before User#save clears the change)
                 was_activated = (@user.status_change == [User::STATUS_REGISTERED, User::STATUS_ACTIVE])
                 # TODO: Similar to My#account

app/models/project.rb +11 0

             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             class Project < ActiveRecord::Base
+              include Redmine::SafeAttributes
               # Project statuses
               STATUS_ACTIVE     = 1
               STATUS_ARCHIVED   = 9
               def enabled_module_names
                 enabled_modules.collect(&:name)
               end
+              safe_attributes 'name',
+                'description',
+                'homepage',
+                'is_public',
+                'identifier',
+                'custom_field_values',
+                'custom_fields',
+                'tracker_ids'
               # Returns an array of projects that are in this project's hierarchy
               #

app/models/user.rb +16 -1

             require "digest/sha1"
             class User < Principal
+              include Redmine::SafeAttributes
               # Account statuses
               STATUS_ANONYMOUS  = 0
               STATUS_ACTIVE     = 1
               def allowed_to_globally?(action, options)
                 allowed_to?(action, nil, options.reverse_merge(:global => true))
               end
+              safe_attributes 'login',
+                'firstname',
+                'lastname',
+                'mail',
+                'mail_notification',
+                'language',
+                'custom_field_values',
+                'custom_fields',
+                'identity_url'
+              safe_attributes 'status',
+                'auth_source_id',
+                :if => lambda {|user, current_user| current_user.admin?}
               # Utility method to help check if a user should be notified about an
               # event.

test/functional/projects_controller_test.rb +14 -6

                   end
                   should "create a new project" do
-                    post :create, :project => { :name => "blog",
+                    post :create,
-                                             :description => "weblog",
+                      :project => {
-                                             :identifier => "blog",
+                        :name => "blog",
-                                             :is_public => 1,
+                        :description => "weblog",
-                                             :custom_field_values => { '3' => 'Beta' }
+                        :homepage => 'http://weblog',
+                        :identifier => "blog",
+                        :is_public => 1,
+                        :custom_field_values => { '3' => 'Beta' },
+                        :tracker_ids => ['1', '3']
+                      }
                     assert_redirected_to '/projects/blog/settings'
                     project = Project.find_by_name('blog')
                     assert_kind_of Project, project
+                    assert project.active?
                     assert_equal 'weblog', project.description
+                    assert_equal 'http://weblog', project.homepage
                     assert_equal true, project.is_public?
                     assert_nil project.parent
+                    assert_equal 'Beta', project.custom_value_for(3).value
+                    assert_equal [1, 3], project.trackers.map(&:id).sort
                   end
                   should "create a new subproject" do

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages