| @@ -260,7 +260,6 class Issue < ActiveRecord::Base | |||
|
|
260 | 260 | |
|
|
261 | 261 | safe_attributes 'tracker_id', |
|
|
262 | 262 | 'status_id', |
|
|
263 | 'parent_issue_id', | |
|
|
264 | 263 | 'category_id', |
|
|
265 | 264 | 'assigned_to_id', |
|
|
266 | 265 | 'priority_id', |
| @@ -291,6 +290,10 class Issue < ActiveRecord::Base | |||
|
|
291 | 290 | (issue.author == user && user.allowed_to?(:set_own_issues_private, issue.project)) |
|
|
292 | 291 | } |
|
|
293 | 292 | |
|
|
293 | safe_attributes 'parent_issue_id', | |
|
|
294 | :if => lambda {|issue, user| (issue.new_record? || user.allowed_to?(:edit_issues, issue.project)) && | |
|
|
295 | user.allowed_to?(:manage_subtasks, issue.project)} | |
|
|
296 | ||
|
|
294 | 297 | # Safely sets attributes |
|
|
295 | 298 | # Should be called from controllers instead of #attributes= |
|
|
296 | 299 | # attr_accessible is too rough because we still want things like |
| @@ -318,12 +321,8 class Issue < ActiveRecord::Base | |||
|
|
318 | 321 | attrs.reject! {|k,v| %w(priority_id done_ratio start_date due_date estimated_hours).include?(k)} |
|
|
319 | 322 | end |
|
|
320 | 323 | |
|
|
321 |
if attrs. |
|
|
|
322 | if !user.allowed_to?(:manage_subtasks, project) | |
|
|
323 | attrs.delete('parent_issue_id') | |
|
|
324 | elsif !attrs['parent_issue_id'].blank? | |
|
|
325 | attrs.delete('parent_issue_id') unless Issue.visible(user).exists?(attrs['parent_issue_id'].to_i) | |
|
|
326 | end | |
|
|
324 | if attrs['parent_issue_id'].present? | |
|
|
325 | attrs.delete('parent_issue_id') unless Issue.visible(user).exists?(attrs['parent_issue_id'].to_i) | |
|
|
327 | 326 | end |
|
|
328 | 327 | |
|
|
329 | 328 | # mass-assignment security bypass |
General Comments 0
You need to be logged in to leave comments.
Login now