Commit 98d18774 authored by jplang's avatar jplang
Browse files

Use safe_attributes for custom fields.

git-svn-id: https://svn.redmine.org/redmine/trunk@15689 e93f8b46-1217-0410-a6f0-8f06a7374b81
parent 713c87da
......@@ -53,7 +53,8 @@ class CustomFieldsController < ApplicationController
end
def update
if @custom_field.update_attributes(params[:custom_field])
@custom_field.safe_attributes = params[:custom_field]
if @custom_field.save
call_hook(:controller_custom_fields_edit_after_save, :params => params, :custom_field => @custom_field)
respond_to do |format|
format.html {
......@@ -82,9 +83,11 @@ class CustomFieldsController < ApplicationController
private
def build_new_custom_field
@custom_field = CustomField.new_subclass_instance(params[:type], params[:custom_field])
@custom_field = CustomField.new_subclass_instance(params[:type])
if @custom_field.nil?
render :action => 'select_type'
else
@custom_field.safe_attributes = params[:custom_field]
end
end
......
......@@ -16,6 +16,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class CustomField < ActiveRecord::Base
include Redmine::SafeAttributes
include Redmine::SubclassFactory
has_many :enumerations,
......@@ -61,11 +62,33 @@ class CustomField < ActiveRecord::Base
where(:visible => true)
end
}
def visible_by?(project, user=User.current)
visible? || user.admin?
end
safe_attributes 'name',
'field_format',
'possible_values',
'regexp',
'min_lnegth',
'max_length',
'is_required',
'is_for_all',
'is_filter',
'position',
'searchable',
'default_value',
'editable',
'visible',
'multiple',
'description',
'role_ids',
'url_pattern',
'text_formatting',
'edit_tag_style',
'user_role',
'version_status'
def format
@format ||= Redmine::FieldFormat.find(field_format)
end
......
......@@ -20,6 +20,9 @@ class IssueCustomField < CustomField
has_and_belongs_to_many :trackers, :join_table => "#{table_name_prefix}custom_fields_trackers#{table_name_suffix}", :foreign_key => "custom_field_id"
has_many :issues, :through => :issue_custom_values
safe_attributes 'project_ids',
'tracker_ids'
def type_name
:label_issue_plural
end
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment