| @@ -260,7 +260,6 class Issue < ActiveRecord::Base | |||||
| 260 |
|
260 | |||
| 261 | safe_attributes 'tracker_id', |
|
261 | safe_attributes 'tracker_id', | |
| 262 | 'status_id', |
|
262 | 'status_id', | |
| 263 | 'parent_issue_id', |
|
|||
| 264 | 'category_id', |
|
263 | 'category_id', | |
| 265 | 'assigned_to_id', |
|
264 | 'assigned_to_id', | |
| 266 | 'priority_id', |
|
265 | 'priority_id', | |
| @@ -291,6 +290,10 class Issue < ActiveRecord::Base | |||||
| 291 | (issue.author == user && user.allowed_to?(:set_own_issues_private, issue.project)) |
|
290 | (issue.author == user && user.allowed_to?(:set_own_issues_private, issue.project)) | |
| 292 | } |
|
291 | } | |
| 293 |
|
292 | |||
|
|
293 | safe_attributes 'parent_issue_id', | |||
|
|
294 | :if => lambda {|issue, user| (issue.new_record? || user.allowed_to?(:edit_issues, issue.project)) && | |||
|
|
295 | user.allowed_to?(:manage_subtasks, issue.project)} | |||
|
|
296 | ||||
| 294 | # Safely sets attributes |
|
297 | # Safely sets attributes | |
| 295 | # Should be called from controllers instead of #attributes= |
|
298 | # Should be called from controllers instead of #attributes= | |
| 296 | # attr_accessible is too rough because we still want things like |
|
299 | # attr_accessible is too rough because we still want things like | |
| @@ -318,12 +321,8 class Issue < ActiveRecord::Base | |||||
| 318 | attrs.reject! {|k,v| %w(priority_id done_ratio start_date due_date estimated_hours).include?(k)} |
|
321 | attrs.reject! {|k,v| %w(priority_id done_ratio start_date due_date estimated_hours).include?(k)} | |
| 319 | end |
|
322 | end | |
| 320 |
|
323 | |||
| 321 |
if attrs. |
|
324 | if attrs['parent_issue_id'].present? | |
| 322 | if !user.allowed_to?(:manage_subtasks, project) |
|
325 | attrs.delete('parent_issue_id') unless Issue.visible(user).exists?(attrs['parent_issue_id'].to_i) | |
| 323 | attrs.delete('parent_issue_id') |
|
|||
| 324 | elsif !attrs['parent_issue_id'].blank? |
|
|||
| 325 | attrs.delete('parent_issue_id') unless Issue.visible(user).exists?(attrs['parent_issue_id'].to_i) |
|
|||
| 326 | end |
|
|||
| 327 | end |
|
326 | end | |
| 328 |
|
327 | |||
| 329 | # mass-assignment security bypass |
|
328 | # mass-assignment security bypass | |
General Comments 0
You need to be logged in to leave comments.
Login now