meineerde/redmine
1
0
Fork 0
mirror of https://github.com/meineerde/redmine.git synced 2025-12-19 23:11:12 +00:00
Code Issues Releases Wiki Activity

Use safe_attributes for user preferences.

Browse Source 
git-svn-id: http://svn.redmine.org/redmine/trunk@15688 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2016-07-17 06:43:12 +00:00
parent cad0036297
commit 43d8ab8288
4 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/account_controller.rb
View File

@ -123,7 +123,7 @@ class AccountController < ApplicationController
user_params = params[:user] || {} user_params = params[:user] || {}
@user = User.new @user = User.new
@user.safe_attributes = user_params @user.safe_attributes = user_params
@user.pref.attributes = params[:pref] if params[:pref] @user.pref.safe_attributes = params[:pref]
@user.admin = false @user.admin = false
@user.register @user.register
if session[:auth_source_registration] if session[:auth_source_registration]

4
app/controllers/my_controller.rb
View File

@ -56,8 +56,8 @@ class MyController < ApplicationController
@user = User.current @user = User.current
@pref = @user.pref @pref = @user.pref
if request.post? if request.post?
@user.safe_attributes = params[:user] if params[:user] @user.safe_attributes = params[:user]
@user.pref.attributes = params[:pref] if params[:pref] @user.pref.safe_attributes = params[:pref]
if @user.save if @user.save
@user.pref.save @user.pref.save
set_language_if_valid @user.language set_language_if_valid @user.language

2
app/controllers/users_controller.rb
View File

@ -90,7 +90,7 @@ class UsersController < ApplicationController
@user = User.new(:language => Setting.default_language, :mail_notification => Setting.default_notification_option, :admin => false) @user = User.new(:language => Setting.default_language, :mail_notification => Setting.default_notification_option, :admin => false)
@user.safe_attributes = params[:user] @user.safe_attributes = params[:user]
@user.password, @user.password_confirmation = params[:user][:password], params[:user][:password_confirmation] unless @user.auth_source_id @user.password, @user.password_confirmation = params[:user][:password], params[:user][:password_confirmation] unless @user.auth_source_id
@user.pref.attributes = params[:pref] if params[:pref] @user.pref.safe_attributes = params[:pref]
if @user.save if @user.save
Mailer.account_information(@user, @user.password).deliver if params[:send_information] Mailer.account_information(@user, @user.password).deliver if params[:send_information]

8
app/models/user_preference.rb
View File

@ -16,6 +16,8 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class UserPreference < ActiveRecord::Base class UserPreference < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :user belongs_to :user
serialize :others serialize :others
@ -23,6 +25,12 @@ class UserPreference < ActiveRecord::Base
before_save :set_others_hash before_save :set_others_hash
safe_attributes 'hide_mail',
'time_zone',
'comments_sorting',
'warn_on_leaving_unsaved',
'no_self_notified'
def initialize(attributes=nil, *args) def initialize(attributes=nil, *args)
super super
if new_record? && !(attributes && attributes.key?(:hide_mail)) if new_record? && !(attributes && attributes.key?(:hide_mail))