Prevent mass-assignment vulnerability when adding/updating a document (#922).

7505cb2f · Jean-Philippe Lang · Holger Just · 2eeb4b13 · 7505cb2f · 7505cb2f
Commit 7505cb2f authored Mar 06, 2012 by Jean-Philippe Lang Committed by Holger Just Apr 04, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

documents_controller.rb app/controllers/documents_controller.rb +2 -1

document.rb app/models/document.rb +3 -0

No files found.
--- a/app/controllers/documents_controller.rb
+++ b/app/controllers/documents_controller.rb
@@ -43,7 +43,8 @@ class DocumentsController < ApplicationController
  end

  def new
-    @document = @project.documents.build(params[:document])
+    @document = @project.documents.build
+    @document.safe_attributes = params[:document]
    if request.post?
      if User.current.allowed_to?(:add_document_watchers, @project) && params[:document]['watcher_user_ids'].present?
        @document.watcher_user_ids = params[:document]['watcher_user_ids']

--- a/app/models/document.rb
+++ b/app/models/document.rb
@@ -13,6 +13,7 @@
 #++

 class Document < ActiveRecord::Base
+  include Redmine::SafeAttributes
  belongs_to :project
  belongs_to :category, :class_name => "DocumentCategory", :foreign_key => "category_id"
  acts_as_attachable :delete_permission => :manage_documents
@@ -32,6 +33,8 @@ class Document < ActiveRecord::Base
  named_scope :visible, lambda {|*args| { :include => :project,
                                          :conditions => Project.allowed_to_condition(args.first || User.current, :view_documents) } }

+  safe_attributes 'category_id', 'title', 'description'
+
  def visible?(user=User.current)
    !user.nil? && user.allowed_to?(:view_documents, project)
  end