Use safe_attributes for custom fields.

git-svn-id: http://svn.redmine.org/redmine/trunk@15689 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-12-24 09:21:12 +00:00 · 2016-07-17 07:15:25 +00:00 · 2016-07-17 07:15:25 +00:00 · 316eae078c
commit 316eae078c
parent 43d8ab8288
3 changed files with 32 additions and 3 deletions
--- a/app/controllers/custom_fields_controller.rb
+++ b/app/controllers/custom_fields_controller.rb
@ -53,7 +53,8 @@ class CustomFieldsController < ApplicationController
  end

  def update
-    if @custom_field.update_attributes(params[:custom_field])
+    @custom_field.safe_attributes = params[:custom_field]
+    if @custom_field.save
      call_hook(:controller_custom_fields_edit_after_save, :params => params, :custom_field => @custom_field)
      respond_to do |format|
        format.html {
@ -82,9 +83,11 @@ class CustomFieldsController < ApplicationController
  private

  def build_new_custom_field
-    @custom_field = CustomField.new_subclass_instance(params[:type], params[:custom_field])
+    @custom_field = CustomField.new_subclass_instance(params[:type])
    if @custom_field.nil?
      render :action => 'select_type'
+    else
+      @custom_field.safe_attributes = params[:custom_field]
    end
  end

--- a/app/models/custom_field.rb
+++ b/app/models/custom_field.rb
@ -16,6 +16,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

 class CustomField < ActiveRecord::Base
+  include Redmine::SafeAttributes
  include Redmine::SubclassFactory

  has_many :enumerations,
@ -61,11 +62,33 @@ class CustomField < ActiveRecord::Base
      where(:visible => true)
    end
  }
-
  def visible_by?(project, user=User.current)
    visible? || user.admin?
  end

+  safe_attributes 'name',
+    'field_format',
+    'possible_values',
+    'regexp',
+    'min_lnegth',
+    'max_length',
+    'is_required',
+    'is_for_all',
+    'is_filter',
+    'position',
+    'searchable',
+    'default_value',
+    'editable',
+    'visible',
+    'multiple',
+    'description',
+    'role_ids',
+    'url_pattern',
+    'text_formatting',
+    'edit_tag_style',
+    'user_role',
+    'version_status'
+
  def format
    @format ||= Redmine::FieldFormat.find(field_format)
  end
--- a/app/models/issue_custom_field.rb
+++ b/app/models/issue_custom_field.rb
@ -20,6 +20,9 @@ class IssueCustomField < CustomField
  has_and_belongs_to_many :trackers, :join_table => "#{table_name_prefix}custom_fields_trackers#{table_name_suffix}", :foreign_key => "custom_field_id"
  has_many :issues, :through => :issue_custom_values

+  safe_attributes 'project_ids',
+    'tracker_ids'
+
  def type_name
    :label_issue_plural
  end