Use safe_attributes.

git-svn-id: http://svn.redmine.org/redmine/trunk@15668 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-01-03 06:09:41 +00:00 · 2016-07-16 09:30:09 +00:00 · 2016-07-16 09:30:09 +00:00 · adde498b33
commit adde498b33
parent 3e6b392ddc
2 changed files with 19 additions and 3 deletions
--- a/app/controllers/roles_controller.rb
+++ b/app/controllers/roles_controller.rb
@ -45,7 +45,8 @@ class RolesController < ApplicationController

  def new
    # Prefills the form with 'Non member' role permissions by default
-    @role = Role.new(params[:role] || {:permissions => Role.non_member.permissions})
+    @role = Role.new
+    @role.safe_attributes = params[:role] || {:permissions => Role.non_member.permissions}
    if params[:copy].present? && @copy_from = Role.find_by_id(params[:copy])
      @role.copy_from(@copy_from)
    end
@ -53,7 +54,8 @@ class RolesController < ApplicationController
  end

  def create
-    @role = Role.new(params[:role])
+    @role = Role.new
+    @role.safe_attributes = params[:role]
    if request.post? && @role.save
      # workflow copy
      if !params[:copy_workflow_from].blank? && (copy_from = Role.find_by_id(params[:copy_workflow_from]))
@ -71,7 +73,8 @@ class RolesController < ApplicationController
  end

  def update
-    if @role.update_attributes(params[:role])
+    @role.safe_attributes = params[:role]
+    if @role.save
      respond_to do |format|
        format.html {
          flash[:notice] = l(:notice_successful_update)
--- a/app/models/role.rb
+++ b/app/models/role.rb
@ -16,6 +16,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

 class Role < ActiveRecord::Base
+  include Redmine::SafeAttributes
+
  # Custom coder for the permissions attribute that should be an
  # array of symbols. Rails 3 uses Psych which can be *unbelievably*
  # slow on some platforms (eg. mingw32).
@ -89,6 +91,17 @@ class Role < ActiveRecord::Base
    :in => TIME_ENTRIES_VISIBILITY_OPTIONS.collect(&:first),
    :if => lambda {|role| role.respond_to?(:time_entries_visibility) && role.time_entries_visibility_changed?}

+  safe_attributes 'name',
+      'assignable',
+      'position',
+      'issues_visibility',
+      'users_visibility',
+      'time_entries_visibility',
+      'all_roles_managed',
+      'permissions',
+      'permissions_all_trackers',
+      'permissions_tracker_ids'
+
  # Copies attributes from another role, arg can be an id or a Role
  def copy_from(arg, options={})
    return unless arg.present?