Commit dcf933bd authored by jplang's avatar jplang

Verify assigned_to_id when assigning safe_attributes (#22127).

Patch by Jan Schulz-Hofen.

git-svn-id: https://svn.redmine.org/redmine/trunk@15223 e93f8b46-1217-0410-a6f0-8f06a7374b81
parent e2ff1b98
......@@ -495,6 +495,17 @@ class Issue < ActiveRecord::Base
if new_record? && !statuses_allowed.include?(status)
self.status = statuses_allowed.first || default_status
end
if (u = attrs.delete('assigned_to_id')) && safe_attribute?('assigned_to_id')
if u.blank?
self.assigned_to_id = nil
else
u = u.to_i
if assignable_users.any?{|assignable_user| assignable_user.id == u}
self.assigned_to_id = u
end
end
end
attrs = delete_unsafe_attributes(attrs, user)
return if attrs.empty?
......
......@@ -790,6 +790,40 @@ class IssueTest < ActiveSupport::TestCase
assert_nil issue.custom_field_value(cf2)
end
def test_safe_attributes_should_ignore_unassignable_assignee
issue = Issue.new(:project_id => 1, :tracker_id => 1, :author_id => 3,
:status_id => 1, :priority => IssuePriority.all.first,
:subject => 'test_create')
assert issue.valid?
# locked user, not allowed
issue.safe_attributes=({'assigned_to_id' => '5'})
assert_nil issue.assigned_to_id
# no member
issue.safe_attributes=({'assigned_to_id' => '1'})
assert_nil issue.assigned_to_id
# user 2 is ok
issue.safe_attributes=({'assigned_to_id' => '2'})
assert_equal 2, issue.assigned_to_id
assert issue.save
issue.reload
assert_equal 2, issue.assigned_to_id
issue.safe_attributes=({'assigned_to_id' => '5'})
assert_equal 2, issue.assigned_to_id
issue.safe_attributes=({'assigned_to_id' => '1'})
assert_equal 2, issue.assigned_to_id
# user 3 is also ok
issue.safe_attributes=({'assigned_to_id' => '3'})
assert_equal 3, issue.assigned_to_id
assert issue.save
# removal of assignee
issue.safe_attributes=({'assigned_to_id' => ''})
assert_nil issue.assigned_to_id
assert issue.save
end
def test_editable_custom_field_values_should_return_non_readonly_custom_values
cf1 = IssueCustomField.create!(:name => 'Writable field', :field_format => 'string',
:is_for_all => true, :tracker_ids => [1, 2])
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment