##// END OF EJS Templates
jro_apps » redmine
RSS
Declare safe attributes for User and Projects models....
Jean-Philippe Lang -
r4378:a4d7a99c22d9
parent child
Show More
Side by Side Unified
Context file:
r4378:a4d7a99c22d9 Loading diff...:
Show file before | Show file after | Hide comments
@@ -53,7 +53,7 class MyController < ApplicationController
53 53 @user = User.current
54 54 @pref = @user.pref
55 55 if request.post?
56 @user.attributes = params[:user]
56 @user.safe_attributes = params[:user]
57 57 @user.mail_notification = params[:notification_option] || 'only_my_events'
58 58 @user.pref.attributes = params[:pref]
59 59 @user.pref[:no_self_notified] = (params[:no_self_notified] == '1')
Show file before | Show file after | Hide comments
@@ -72,7 +72,8 class ProjectsController < ApplicationController
72 72 def create
73 73 @issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position")
74 74 @trackers = Tracker.all
75 @project = Project.new(params[:project])
75 @project = Project.new
76 @project.safe_attributes = params[:project]
76 77
77 78 @project.enabled_module_names = params[:enabled_modules] if params[:enabled_modules]
78 79 if validate_parent_id && @project.save
@@ -115,7 +116,8 class ProjectsController < ApplicationController
115 116 end
116 117 else
117 118 Mailer.with_deliveries(params[:notifications] == '1') do
118 @project = Project.new(params[:project])
119 @project = Project.new
120 @project.safe_attributes = params[:project]
119 121 @project.enabled_module_names = params[:enabled_modules]
120 122 if validate_parent_id && @project.copy(@source_project, :only => params[:only])
121 123 @project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id')
@@ -181,7 +183,7 class ProjectsController < ApplicationController
181 183 end
182 184
183 185 def update
184 @project.attributes = params[:project]
186 @project.safe_attributes = params[:project]
185 187 if validate_parent_id && @project.save
186 188 @project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id')
187 189 respond_to do |format|
Show file before | Show file after | Hide comments
@@ -97,7 +97,8 class UsersController < ApplicationController
97 97 @notification_options = User::MAIL_NOTIFICATION_OPTIONS
98 98 @notification_option = Setting.default_notification_option
99 99
100 @user = User.new(params[:user])
100 @user = User.new
101 @user.safe_attributes = params[:user]
101 102 @user.admin = params[:user][:admin] || false
102 103 @user.login = params[:user][:login]
103 104 @user.password, @user.password_confirmation = params[:password], params[:password_confirmation] unless @user.auth_source_id
@@ -155,7 +156,7 class UsersController < ApplicationController
155 156 @user.password, @user.password_confirmation = params[:password], params[:password_confirmation]
156 157 end
157 158 @user.group_ids = params[:user][:group_ids] if params[:user][:group_ids]
158 @user.attributes = params[:user]
159 @user.safe_attributes = params[:user]
159 160 # Was the account actived ? (do it before User#save clears the change)
160 161 was_activated = (@user.status_change == [User::STATUS_REGISTERED, User::STATUS_ACTIVE])
161 162 # TODO: Similar to My#account
Show file before | Show file after | Hide comments
@@ -16,6 +16,8
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class Project < ActiveRecord::Base
19 include Redmine::SafeAttributes
20
19 21 # Project statuses
20 22 STATUS_ACTIVE = 1
21 23 STATUS_ARCHIVED = 9
@@ -520,6 +522,15 class Project < ActiveRecord::Base
520 522 def enabled_module_names
521 523 enabled_modules.collect(&:name)
522 524 end
525
526 safe_attributes 'name',
527 'description',
528 'homepage',
529 'is_public',
530 'identifier',
531 'custom_field_values',
532 'custom_fields',
533 'tracker_ids'
523 534
524 535 # Returns an array of projects that are in this project's hierarchy
525 536 #
Show file before | Show file after | Hide comments
@@ -18,7 +18,8
18 18 require "digest/sha1"
19 19
20 20 class User < Principal
21
21 include Redmine::SafeAttributes
22
22 23 # Account statuses
23 24 STATUS_ANONYMOUS = 0
24 25 STATUS_ACTIVE = 1
@@ -390,6 +391,20 class User < Principal
390 391 def allowed_to_globally?(action, options)
391 392 allowed_to?(action, nil, options.reverse_merge(:global => true))
392 393 end
394
395 safe_attributes 'login',
396 'firstname',
397 'lastname',
398 'mail',
399 'mail_notification',
400 'language',
401 'custom_field_values',
402 'custom_fields',
403 'identity_url'
404
405 safe_attributes 'status',
406 'auth_source_id',
407 :if => lambda {|user, current_user| current_user.admin?}
393 408
394 409 # Utility method to help check if a user should be notified about an
395 410 # event.
Show file before | Show file after | Hide comments
@@ -144,19 +144,27 class ProjectsControllerTest < ActionController::TestCase
144 144 end
145 145
146 146 should "create a new project" do
147 post :create, :project => { :name => "blog",
148 :description => "weblog",
149 :identifier => "blog",
150 :is_public => 1,
151 :custom_field_values => { '3' => 'Beta' }
152 }
147 post :create,
148 :project => {
149 :name => "blog",
150 :description => "weblog",
151 :homepage => 'http://weblog',
152 :identifier => "blog",
153 :is_public => 1,
154 :custom_field_values => { '3' => 'Beta' },
155 :tracker_ids => ['1', '3']
156 }
153 157 assert_redirected_to '/projects/blog/settings'
154 158
155 159 project = Project.find_by_name('blog')
156 160 assert_kind_of Project, project
161 assert project.active?
157 162 assert_equal 'weblog', project.description
163 assert_equal 'http://weblog', project.homepage
158 164 assert_equal true, project.is_public?
159 165 assert_nil project.parent
166 assert_equal 'Beta', project.custom_value_for(3).value
167 assert_equal [1, 3], project.trackers.map(&:id).sort
160 168 end
161 169
162 170 should "create a new subproject" do
General Comments 0
You need to be logged in to leave comments. Login now