Commit 7b23d3bd authored by Francisco Juan's avatar Francisco Juan

Merge commit 'tags/v2.7.1'

parents f1ff9c1a 9d32e68e
......@@ -43,8 +43,9 @@ class DocumentsController < ApplicationController
end
def new
@document = @project.documents.build(params[:document])
if request.post? and @document.save
@document = @project.documents.build
@document.safe_attributes = params[:document]
if request.post? && @document.save
attachments = Attachment.attach_files(@document, params[:attachments])
render_attachment_warning_if_needed(@document)
flash[:notice] = l(:notice_successful_create)
......
......@@ -23,7 +23,8 @@ class IssueCategoriesController < ApplicationController
verify :method => :post, :only => :destroy
def new
@category = @project.issue_categories.build(params[:category])
@category = @project.issue_categories.build
@category.safe_attributes = params[:category]
if request.post?
if @category.save
respond_to do |format|
......@@ -50,7 +51,8 @@ class IssueCategoriesController < ApplicationController
end
def edit
if request.post? and @category.update_attributes(params[:category])
@category.safe_attributes = params[:category]
if request.post? and @category.save
flash[:notice] = l(:notice_successful_update)
redirect_to :controller => 'projects', :action => 'settings', :tab => 'categories', :id => @project
end
......
......@@ -21,17 +21,19 @@ class MembersController < ApplicationController
def new
members = []
if params[:member] && request.post?
attrs = params[:member].dup
if (user_ids = attrs.delete(:user_ids))
if params[:member]
if params[:member][:user_ids]
attrs = params[:member].dup
user_ids = attrs.delete(:user_ids)
user_ids.each do |user_id|
members << Member.new(attrs.merge(:user_id => user_id))
members << Member.new(:role_ids => params[:member][:role_ids], :user_id => user_id)
end
else
members << Member.new(attrs)
members << Member.new(:role_ids => params[:member][:role_ids], :user_id => params[:member][:user_id])
end
@project.members << members
end
respond_to do |format|
if members.present? && members.all? {|m| m.valid? }
......
......@@ -48,26 +48,26 @@ class MessagesController < ApplicationController
# Create a new topic
def new
@message = Message.new(params[:message])
@message = Message.new
@message.author = User.current
@message.board = @board
if params[:message] && User.current.allowed_to?(:edit_messages, @project)
@message.locked = params[:message]['locked']
@message.sticky = params[:message]['sticky']
end
if request.post? && @message.save
call_hook(:controller_messages_new_after_save, { :params => params, :message => @message})
attachments = Attachment.attach_files(@message, params[:attachments])
render_attachment_warning_if_needed(@message)
redirect_to :action => 'show', :id => @message
@message.safe_attributes = params[:message]
if request.post?
if @message.save
call_hook(:controller_messages_new_after_save, { :params => params, :message => @message})
attachments = Attachment.attach_files(@message, params[:attachments])
render_attachment_warning_if_needed(@message)
redirect_to :action => 'show', :id => @message
end
end
end
# Reply to a topic
def reply
@reply = Message.new(params[:reply])
@reply = Message.new
@reply.author = User.current
@reply.board = @board
@reply.safe_attributes = params[:reply]
@topic.children << @reply
if !@reply.new_record?
call_hook(:controller_messages_reply_after_save, { :params => params, :message => @reply})
......@@ -80,11 +80,8 @@ class MessagesController < ApplicationController
# Edit a message
def edit
(render_403; return false) unless @message.editable_by?(User.current)
if params[:message]
@message.locked = params[:message]['locked']
@message.sticky = params[:message]['sticky']
end
if request.post? && @message.update_attributes(params[:message])
@message.safe_attributes = params[:message]
if request.post? && @message.save
attachments = Attachment.attach_files(@message, params[:attachments])
render_attachment_warning_if_needed(@message)
flash[:notice] = l(:notice_successful_update)
......
......@@ -59,14 +59,12 @@ class NewsController < ApplicationController
def create
@news = News.new(:project => @project, :author => User.current)
if request.post?
@news.attributes = params[:news]
if @news.save
flash[:notice] = l(:notice_successful_create)
redirect_to :controller => 'news', :action => 'index', :project_id => @project
else
render :action => 'new'
end
@news.safe_attributes = params[:news]
if @news.save
flash[:notice] = l(:notice_successful_create)
redirect_to :controller => 'news', :action => 'index', :project_id => @project
else
render :action => 'new'
end
end
......@@ -74,7 +72,8 @@ class NewsController < ApplicationController
end
def update
if request.put? and @news.update_attributes(params[:news])
@news.safe_attributes = params[:news]
if @news.save
flash[:notice] = l(:notice_successful_update)
redirect_to :action => 'show', :id => @news
else
......
......@@ -59,7 +59,8 @@ class ProjectsController < ApplicationController
def new
@issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position")
@trackers = Tracker.all
@project = Project.new(params[:project])
@project = Project.new
@project.safe_attributes = params[:project]
end
verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
......
......@@ -97,7 +97,7 @@ class TimelogController < ApplicationController
def new
@time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
@time_entry.attributes = params[:time_entry]
@time_entry.safe_attributes = params[:time_entry]
call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
render :action => 'edit'
......@@ -106,7 +106,7 @@ class TimelogController < ApplicationController
verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
def create
@time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
@time_entry.attributes = params[:time_entry]
@time_entry.safe_attributes = params[:time_entry]
call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
......@@ -127,14 +127,14 @@ class TimelogController < ApplicationController
end
def edit
@time_entry.attributes = params[:time_entry]
@time_entry.safe_attributes = params[:time_entry]
call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
end
verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
def update
@time_entry.attributes = params[:time_entry]
@time_entry.safe_attributes = params[:time_entry]
call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
......
......@@ -56,7 +56,7 @@ class VersionsController < ApplicationController
if params[:version]
attributes = params[:version].dup
attributes.delete('sharing') unless attributes.nil? || @version.allowed_sharings.include?(attributes['sharing'])
@version.attributes = attributes
@version.safe_attributes = attributes
end
end
......@@ -66,7 +66,7 @@ class VersionsController < ApplicationController
if params[:version]
attributes = params[:version].dup
attributes.delete('sharing') unless attributes.nil? || @version.allowed_sharings.include?(attributes['sharing'])
@version.attributes = attributes
@version.safe_attributes = attributes
end
if request.post?
......@@ -101,7 +101,8 @@ class VersionsController < ApplicationController
if request.put? && params[:version]
attributes = params[:version].dup
attributes.delete('sharing') unless @version.allowed_sharings.include?(attributes['sharing'])
if @version.update_attributes(attributes)
@version.safe_attributes = attributes
if @version.save
flash[:notice] = l(:notice_successful_update)
redirect_to :controller => 'projects', :action => 'settings', :tab => 'versions', :id => @project
else
......
......@@ -19,7 +19,7 @@ class WikisController < ApplicationController
# Create or update a project's wiki
def edit
@wiki = @project.wiki || Wiki.new(:project => @project)
@wiki.attributes = params[:wiki]
@wiki.safe_attributes = params[:wiki]
@wiki.save if request.post?
render(:update) {|page| page.replace_html "tab-content-wiki", :partial => 'projects/settings/wiki'}
end
......
......@@ -13,6 +13,7 @@
#++
class Document < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :project
belongs_to :category, :class_name => "DocumentCategory", :foreign_key => "category_id"
acts_as_attachable :delete_permission => :manage_documents
......@@ -31,6 +32,8 @@ class Document < ActiveRecord::Base
named_scope :visible, lambda {|*args| { :include => :project,
:conditions => Project.allowed_to_condition(args.first || User.current, :view_documents) } }
safe_attributes 'category_id', 'title', 'description'
def visible?(user=User.current)
!user.nil? && user.allowed_to?(:view_documents, project)
end
......
......@@ -13,6 +13,7 @@
#++
class IssueCategory < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :project
belongs_to :assigned_to, :class_name => 'User', :foreign_key => 'assigned_to_id'
has_many :issues, :foreign_key => 'category_id', :dependent => :nullify
......@@ -21,6 +22,8 @@ class IssueCategory < ActiveRecord::Base
validates_uniqueness_of :name, :scope => [:project_id]
validates_length_of :name, :maximum => 30
safe_attributes 'name', 'assigned_to_id'
alias :destroy_without_reassign :destroy
# Destroy the category
......
......@@ -13,6 +13,7 @@
#++
class Message < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :board
belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
acts_as_tree :counter_cache => :replies_count, :order => "#{Message.table_name}.created_on ASC"
......@@ -49,6 +50,12 @@ class Message < ActiveRecord::Base
named_scope :visible, lambda {|*args| { :include => {:board => :project},
:conditions => Project.allowed_to_condition(args.first || User.current, :view_messages) } }
safe_attributes 'subject', 'content'
safe_attributes 'locked', 'sticky',
:if => lambda {|message, user|
user.allowed_to?(:edit_messages, message.project)
}
def visible?(user=User.current)
!user.nil? && user.allowed_to?(:view_messages, project)
end
......
......@@ -13,6 +13,7 @@
#++
class News < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :project
belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
has_many :comments, :as => :commented, :dependent => :delete_all, :order => "created_on"
......@@ -32,6 +33,8 @@ class News < ActiveRecord::Base
:conditions => Project.allowed_to_condition(args.first || User.current, :view_news)
}}
safe_attributes 'title', 'summary', 'description'
def visible?(user=User.current)
!user.nil? && user.allowed_to?(:view_news, project)
end
......
......@@ -13,6 +13,7 @@
#++
class TimeEntry < ActiveRecord::Base
include Redmine::SafeAttributes
# could have used polymorphic association
# project association here allows easy loading of time entries at project level with one database trip
belongs_to :project
......@@ -37,6 +38,8 @@ class TimeEntry < ActiveRecord::Base
:conditions => Project.allowed_to_condition(args.first || User.current, :view_time_entries)
}}
safe_attributes 'hours', 'comments', 'issue_id', 'activity_id', 'spent_on', 'custom_field_values'
def after_initialize
if new_record? && self.activity.nil?
if default_activity = TimeEntryActivity.default
......
......@@ -16,7 +16,7 @@ class UserPreference < ActiveRecord::Base
belongs_to :user
serialize :others
attr_protected :others
attr_protected :others, :user_id
def initialize(attributes = nil)
super
......
......@@ -13,6 +13,7 @@
#++
class Version < ActiveRecord::Base
include Redmine::SafeAttributes
after_update :update_issues_from_sharing_change
belongs_to :project
has_many :fixed_issues, :class_name => 'Issue', :foreign_key => 'fixed_version_id', :dependent => :nullify
......@@ -34,6 +35,15 @@ class Version < ActiveRecord::Base
named_scope :visible, lambda {|*args| { :include => :project,
:conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } }
safe_attributes 'name',
'description',
'effective_date',
'due_date',
'wiki_page_title',
'status',
'sharing',
'custom_field_values'
# Returns true if +user+ or current user is allowed to view the version
def visible?(user=User.current)
user.allowed_to?(:view_issues, self.project)
......
......@@ -13,6 +13,7 @@
#++
class Wiki < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :project
has_many :pages, :class_name => 'WikiPage', :dependent => :destroy, :order => 'title'
has_many :redirects, :class_name => 'WikiRedirect', :dependent => :delete_all
......@@ -22,6 +23,8 @@ class Wiki < ActiveRecord::Base
validates_presence_of :start_page
validates_format_of :start_page, :with => /^[^,\.\/\?\;\|\:]*$/
safe_attributes 'start_page'
def visible?(user=User.current)
!user.nil? && user.allowed_to?(:view_wiki_pages, project)
end
......
= ChiliProject changelog
== 2012-04-04 v2.7.1
* Bug #922: Mass assignment
== 2012-02-06 v2.7.0
* Bug #593: Notification Mail for Wiki-Changes has wrong Diff
......
......@@ -19,7 +19,7 @@ module ChiliProject
MAJOR = 2
MINOR = 7
PATCH = 0
PATCH = 1
TINY = PATCH # Redmine compat
# Used by semver to define the special version (if any).
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment