meineerde/redmine
1
0
Fork 0
mirror of https://github.com/meineerde/redmine.git synced 2026-03-10 03:03:05 +00:00
Code Issues Releases Wiki Activity

Wrap journal attributes with a journal parameter and use safe_attributes (#22575).

Browse Source 
git-svn-id: http://svn.redmine.org/redmine/trunk@15621 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2016-07-10 10:58:00 +00:00
parent 7918285ac2
commit 1f9bbd6b42
5 changed files with 23 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app/controllers/journals_controller.rb
View File

@ -90,10 +90,8 @@ class JournalsController < ApplicationController
def update def update
(render_403; return false) unless @journal.editable_by?(User.current) (render_403; return false) unless @journal.editable_by?(User.current)
@journal.notes = params[:notes] if params[:notes] @journal.safe_attributes = params[:journal]
@journal.private_notes = params[:private_notes].present? @journal.save
(render_403; return false) if @journal.private_notes_changed? && User.current.allowed_to?(:set_notes_private, @journal.issue.project) == false
@journal.save if @journal.changed?
@journal.destroy if @journal.details.empty? && @journal.notes.blank? @journal.destroy if @journal.details.empty? && @journal.notes.blank?
call_hook(:controller_journals_edit_post, { :journal => @journal, :params => params}) call_hook(:controller_journals_edit_post, { :journal => @journal, :params => params})
respond_to do |format| respond_to do |format|

2
app/helpers/journals_helper.rb
View File

@ -45,7 +45,7 @@ module JournalsHelper
:class => 'icon-only icon-edit' :class => 'icon-only icon-edit'
) if editable ) if editable
links << link_to(l(:button_delete), links << link_to(l(:button_delete),
journal_path(journal, :notes => ""), journal_path(journal, :journal => {:notes => ""}),
:remote => true, :remote => true,
:method => 'put', :data => {:confirm => l(:text_are_you_sure)}, :method => 'put', :data => {:confirm => l(:text_are_you_sure)},
:title => l(:button_delete), :title => l(:button_delete),

7
app/models/journal.rb
View File

@ -16,6 +16,8 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class Journal < ActiveRecord::Base class Journal < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :journalized, :polymorphic => true belongs_to :journalized, :polymorphic => true
# added as a quick fix to allow eager loading of the polymorphic association # added as a quick fix to allow eager loading of the polymorphic association
# since always associated to an issue, for now # since always associated to an issue, for now
@ -50,6 +52,11 @@ class Journal < ActiveRecord::Base
where("(#{Journal.table_name}.private_notes = ? OR (#{Project.allowed_to_condition(user, :view_private_notes, *args)}))", false) where("(#{Journal.table_name}.private_notes = ? OR (#{Project.allowed_to_condition(user, :view_private_notes, *args)}))", false)
} }
safe_attributes 'notes',
:if => lambda {|journal, user| journal.new_record? || journal.editable_by?(user)}
safe_attributes 'private_notes',
:if => lambda {|journal, user| user.allowed_to?(:set_notes_private, journal.project)}
def initialize(*args) def initialize(*args)
super super
if journalized if journalized

8
app/views/journals/_notes_form.html.erb
View File

@ -3,12 +3,14 @@
:method => 'put', :method => 'put',
:id => "journal-#{@journal.id}-form") do %> :id => "journal-#{@journal.id}-form") do %>
<%= label_tag "notes", l(:description_notes), :class => "hidden-for-sighted" %> <%= label_tag "notes", l(:description_notes), :class => "hidden-for-sighted" %>
<%= text_area_tag :notes, @journal.notes, <%= text_area_tag 'journal[notes]', @journal.notes,
:id => "journal_#{@journal.id}_notes", :id => "journal_#{@journal.id}_notes",
:class => 'wiki-edit', :class => 'wiki-edit',
:rows => (@journal.notes.blank? ? 10 : [[10, @journal.notes.length / 50].max, 100].min) %> :rows => (@journal.notes.blank? ? 10 : [[10, @journal.notes.length / 50].max, 100].min) %>
<% if @journal.issue.safe_attribute? 'private_notes' %> <% if @journal.safe_attribute? 'private_notes' %>
<%= check_box_tag 'private_notes', '1', @journal.private_notes, :id => "journal_#{@journal.id}_private_notes" %> <label for="journal_<%= @journal.id %>_private_notes"><%= l(:field_private_notes) %></label> <%= hidden_field_tag 'journal[private_notes]', '0' %>
<%= check_box_tag 'journal[private_notes]', '1', @journal.private_notes, :id => "journal_#{@journal.id}_private_notes" %>
<label for="journal_<%= @journal.id %>_private_notes"><%= l(:field_private_notes) %></label>
<% end %> <% end %>
<%= call_hook(:view_journals_notes_form_after_notes, { :journal => @journal}) %> <%= call_hook(:view_journals_notes_form_after_notes, { :journal => @journal}) %>
<p><%= submit_tag l(:button_save) %> <p><%= submit_tag l(:button_save) %>

15
test/functional/journals_controller_test.rb
View File

@ -199,7 +199,7 @@ class JournalsControllerTest < ActionController::TestCase
def test_update_xhr def test_update_xhr
@request.session[:user_id] = 1 @request.session[:user_id] = 1
xhr :post, :update, :id => 2, :notes => 'Updated notes' xhr :post, :update, :id => 2, :journal => {:notes => 'Updated notes'}
assert_response :success assert_response :success
assert_template 'update' assert_template 'update'
assert_equal 'text/javascript', response.content_type assert_equal 'text/javascript', response.content_type
@ -209,7 +209,7 @@ class JournalsControllerTest < ActionController::TestCase
def test_update_xhr_with_private_notes_checked def test_update_xhr_with_private_notes_checked
@request.session[:user_id] = 1 @request.session[:user_id] = 1
xhr :post, :update, :id => 2, :private_notes => '1' xhr :post, :update, :id => 2, :journal => {:private_notes => '1'}
assert_response :success assert_response :success
assert_template 'update' assert_template 'update'
assert_equal 'text/javascript', response.content_type assert_equal 'text/javascript', response.content_type
@ -221,7 +221,7 @@ class JournalsControllerTest < ActionController::TestCase
def test_update_xhr_with_private_notes_unchecked def test_update_xhr_with_private_notes_unchecked
Journal.find(2).update_attributes(:private_notes => true) Journal.find(2).update_attributes(:private_notes => true)
@request.session[:user_id] = 1 @request.session[:user_id] = 1
xhr :post, :update, :id => 2 xhr :post, :update, :id => 2, :journal => {:private_notes => '0'}
assert_response :success assert_response :success
assert_template 'update' assert_template 'update'
assert_equal 'text/javascript', response.content_type assert_equal 'text/javascript', response.content_type
@ -230,20 +230,21 @@ class JournalsControllerTest < ActionController::TestCase
assert_include 'journal-2-private_notes', response.body assert_include 'journal-2-private_notes', response.body
end end
def test_update_xhr_with_private_notes_changes_and_without_set_private_notes_permission def test_update_xhr_without_set_private_notes_permission_should_ignore_private_notes
@request.session[:user_id] = 2 @request.session[:user_id] = 2
Role.find(1).add_permission! :edit_issue_notes Role.find(1).add_permission! :edit_issue_notes
Role.find(1).add_permission! :view_private_notes Role.find(1).add_permission! :view_private_notes
Role.find(1).remove_permission! :set_notes_private Role.find(1).remove_permission! :set_notes_private
xhr :post, :update, :id => 2, :private_notes => '1' xhr :post, :update, :id => 2, :journal => {:private_notes => '1'}
assert_response 403 assert_response :success
assert_equal false, Journal.find(2).private_notes
end end
def test_update_xhr_with_empty_notes_should_delete_the_journal def test_update_xhr_with_empty_notes_should_delete_the_journal
@request.session[:user_id] = 1 @request.session[:user_id] = 1
assert_difference 'Journal.count', -1 do assert_difference 'Journal.count', -1 do
xhr :post, :update, :id => 2, :notes => '' xhr :post, :update, :id => 2, :journal => {:notes => ''}
assert_response :success assert_response :success
assert_template 'update' assert_template 'update'
assert_equal 'text/javascript', response.content_type assert_equal 'text/javascript', response.content_type