Verify assigned_to_id when assigning safe_attributes (#22127).

Patch by Jan Schulz-Hofen. git-svn-id: http://svn.redmine.org/redmine/trunk@15223 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-02-06 09:03:25 +00:00 · 2016-03-12 13:09:23 +00:00 · 2016-03-12 13:09:23 +00:00 · 9473a373a5
commit 9473a373a5
parent 9d3ce6aa56
2 changed files with 45 additions and 0 deletions
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@ -495,6 +495,17 @@ class Issue < ActiveRecord::Base
    if new_record? && !statuses_allowed.include?(status)
      self.status = statuses_allowed.first || default_status
    end
+    if (u = attrs.delete('assigned_to_id')) && safe_attribute?('assigned_to_id')
+      if u.blank?
+        self.assigned_to_id = nil
+      else
+        u = u.to_i
+        if assignable_users.any?{|assignable_user| assignable_user.id == u}
+          self.assigned_to_id = u
+        end
+      end
+    end
+

    attrs = delete_unsafe_attributes(attrs, user)
    return if attrs.empty?
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@ -790,6 +790,40 @@ class IssueTest < ActiveSupport::TestCase
    assert_nil issue.custom_field_value(cf2)
  end

+  def test_safe_attributes_should_ignore_unassignable_assignee
+    issue = Issue.new(:project_id => 1, :tracker_id => 1, :author_id => 3,
+                      :status_id => 1, :priority => IssuePriority.all.first,
+                      :subject => 'test_create')
+    assert issue.valid?
+
+    # locked user, not allowed
+    issue.safe_attributes=({'assigned_to_id' => '5'})
+    assert_nil issue.assigned_to_id
+    # no member
+    issue.safe_attributes=({'assigned_to_id' => '1'})
+    assert_nil issue.assigned_to_id
+    # user 2 is ok
+    issue.safe_attributes=({'assigned_to_id' => '2'})
+    assert_equal 2, issue.assigned_to_id
+    assert issue.save
+
+    issue.reload
+    assert_equal 2, issue.assigned_to_id
+    issue.safe_attributes=({'assigned_to_id' => '5'})
+    assert_equal 2, issue.assigned_to_id
+    issue.safe_attributes=({'assigned_to_id' => '1'})
+    assert_equal 2, issue.assigned_to_id
+    # user 3 is also ok
+    issue.safe_attributes=({'assigned_to_id' => '3'})
+    assert_equal 3, issue.assigned_to_id
+    assert issue.save
+
+    # removal of assignee
+    issue.safe_attributes=({'assigned_to_id' => ''})
+    assert_nil issue.assigned_to_id
+    assert issue.save
+  end
+
  def test_editable_custom_field_values_should_return_non_readonly_custom_values
    cf1 = IssueCustomField.create!(:name => 'Writable field', :field_format => 'string',
                                   :is_for_all => true, :tracker_ids => [1, 2])