##// END OF EJS Templates
Use safe_attributes for issue watchers assignment....
Jean-Philippe Lang -
r8077:e1f885feda55
parent child
Show More
@@ -312,12 +312,8 private
312 return false
312 return false
313 end
313 end
314 @issue.start_date ||= Date.today if Setting.default_issue_start_date_to_creation_date?
314 @issue.start_date ||= Date.today if Setting.default_issue_start_date_to_creation_date?
315 if params[:issue].is_a?(Hash)
315 @issue.safe_attributes = params[:issue]
316 @issue.safe_attributes = params[:issue]
316
317 if User.current.allowed_to?(:add_issue_watchers, @project) && @issue.new_record?
318 @issue.watcher_user_ids = params[:issue]['watcher_user_ids']
319 end
320 end
321 @priorities = IssuePriority.active
317 @priorities = IssuePriority.active
322 @allowed_statuses = @issue.new_statuses_allowed_to(User.current, true)
318 @allowed_statuses = @issue.new_statuses_allowed_to(User.current, true)
323 end
319 end
@@ -282,6 +282,9 class Issue < ActiveRecord::Base
282 'done_ratio',
282 'done_ratio',
283 :if => lambda {|issue, user| issue.new_statuses_allowed_to(user).any? }
283 :if => lambda {|issue, user| issue.new_statuses_allowed_to(user).any? }
284
284
285 safe_attributes 'watcher_user_ids',
286 :if => lambda {|issue, user| issue.new_record? && user.allowed_to?(:add_issue_watchers, issue.project)}
287
285 safe_attributes 'is_private',
288 safe_attributes 'is_private',
286 :if => lambda {|issue, user|
289 :if => lambda {|issue, user|
287 user.allowed_to?(:set_issues_private, issue.project) ||
290 user.allowed_to?(:set_issues_private, issue.project) ||
@@ -323,7 +326,8 class Issue < ActiveRecord::Base
323 end
326 end
324 end
327 end
325
328
326 self.attributes = attrs
329 # mass-assignment security bypass
330 self.send :attributes=, attrs, false
327 end
331 end
328
332
329 def done_ratio
333 def done_ratio
General Comments 0
You need to be logged in to leave comments. Login now