Commit 3c34bbee authored by jplang's avatar jplang

Use safe_attributes.

git-svn-id: https://svn.redmine.org/redmine/trunk@15669 e93f8b46-1217-0410-a6f0-8f06a7374b81
parent 15d5da14
...@@ -31,13 +31,15 @@ class TrackersController < ApplicationController ...@@ -31,13 +31,15 @@ class TrackersController < ApplicationController
end end
def new def new
@tracker ||= Tracker.new(params[:tracker]) @tracker ||= Tracker.new
@tracker.safe_attributes = params[:tracker]
@trackers = Tracker.sorted.to_a @trackers = Tracker.sorted.to_a
@projects = Project.all @projects = Project.all
end end
def create def create
@tracker = Tracker.new(params[:tracker]) @tracker = Tracker.new
@tracker.safe_attributes = params[:tracker]
if @tracker.save if @tracker.save
# workflow copy # workflow copy
if !params[:copy_workflow_from].blank? && (copy_from = Tracker.find_by_id(params[:copy_workflow_from])) if !params[:copy_workflow_from].blank? && (copy_from = Tracker.find_by_id(params[:copy_workflow_from]))
...@@ -58,7 +60,8 @@ class TrackersController < ApplicationController ...@@ -58,7 +60,8 @@ class TrackersController < ApplicationController
def update def update
@tracker = Tracker.find(params[:id]) @tracker = Tracker.find(params[:id])
if @tracker.update_attributes(params[:tracker]) @tracker.safe_attributes = params[:tracker]
if @tracker.save
respond_to do |format| respond_to do |format|
format.html { format.html {
flash[:notice] = l(:notice_successful_update) flash[:notice] = l(:notice_successful_update)
......
...@@ -16,6 +16,7 @@ ...@@ -16,6 +16,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class Tracker < ActiveRecord::Base class Tracker < ActiveRecord::Base
include Redmine::SafeAttributes
CORE_FIELDS_UNDISABLABLE = %w(project_id tracker_id subject description priority_id is_private).freeze CORE_FIELDS_UNDISABLABLE = %w(project_id tracker_id subject description priority_id is_private).freeze
# Fields that can be disabled # Fields that can be disabled
...@@ -69,6 +70,14 @@ class Tracker < ActiveRecord::Base ...@@ -69,6 +70,14 @@ class Tracker < ActiveRecord::Base
joins(:projects).where(condition).distinct joins(:projects).where(condition).distinct
} }
safe_attributes 'name',
'default_status_id',
'is_in_roadmap',
'core_fields',
'position',
'custom_field_ids',
'project_ids'
def to_s; name end def to_s; name end
def <=>(tracker) def <=>(tracker)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment