Use strong params for CustomFieldEnumeration.

git-svn-id: http://svn.redmine.org/redmine/trunk@16603 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-10-31 18:36:07 +01:00 · 2017-06-03 08:43:04 +00:00
parent b923a54b2d
commit 6ca3e4f75f
3 changed files with 14 additions and 14 deletions
--- a/app/controllers/custom_field_enumerations_controller.rb
+++ b/app/controllers/custom_field_enumerations_controller.rb
@@ -31,7 +31,7 @@ class CustomFieldEnumerationsController < ApplicationController

  def create
    @value = @custom_field.enumerations.build
-    @value.safe_attributes = params[:custom_field_enumeration]
+    @value.attributes = enumeration_params
    @value.save
    respond_to do |format|
      format.html { redirect_to custom_field_enumerations_path(@custom_field) }
@@ -40,9 +40,7 @@ class CustomFieldEnumerationsController < ApplicationController
  end

  def update_each
-    saved = CustomFieldEnumeration.update_each(@custom_field, params[:custom_field_enumerations]) do |enumeration, enumeration_attributes|
-      enumeration.safe_attributes = enumeration_attributes
-    end
+    saved = CustomFieldEnumeration.update_each(@custom_field, update_each_params)
    if saved
      flash[:notice] = l(:notice_successful_update)
    end
@@ -73,4 +71,14 @@ class CustomFieldEnumerationsController < ApplicationController
  rescue ActiveRecord::RecordNotFound
    render_404
  end
+
+  def enumeration_params
+    params.require(:custom_field_enumeration).permit(:name, :active, :position)
+  end
+
+  def update_each_params
+    # params.require(:custom_field_enumerations).permit(:name, :active, :position) does not work here with param like this:
+    # "custom_field_enumerations":{"0":{"name": ...}, "1":{"name...}}
+    params.permit(:custom_field_enumerations => [:name, :active, :position]).require(:custom_field_enumerations)
+  end
 end
--- a/app/models/custom_field_enumeration.rb
+++ b/app/models/custom_field_enumeration.rb
@@ -16,10 +16,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

 class CustomFieldEnumeration < ActiveRecord::Base
-  include Redmine::SafeAttributes
-
  belongs_to :custom_field
-  attr_accessible :name, :active, :position

  validates_presence_of :name, :position, :custom_field_id
  validates_length_of :name, :maximum => 60
@@ -28,10 +25,6 @@ class CustomFieldEnumeration < ActiveRecord::Base

  scope :active, lambda { where(:active => true) }

-  safe_attributes 'name',
-    'active',
-    'position'
-
  def to_s
    name.to_s
  end
@@ -57,7 +50,6 @@ class CustomFieldEnumeration < ActiveRecord::Base
  end

  def self.update_each(custom_field, attributes)
-    return unless attributes.is_a?(Hash)
    transaction do
      attributes.each do |enumeration_id, enumeration_attributes|
        enumeration = custom_field.enumerations.find_by_id(enumeration_id)
--- a/test/functional/custom_field_enumerations_controller_test.rb
+++ b/test/functional/custom_field_enumerations_controller_test.rb
@@ -75,12 +75,12 @@ class CustomFieldEnumerationsControllerTest < Redmine::ControllerTest
    put :update_each, :params => {
        :custom_field_id => @field.id,
        :custom_field_enumerations => {
-          @bar.id => {
+          @bar.id.to_s => {
            :position => "1",
            :name => "Baz",
            :active => "1"
          },    
-                @foo.id => {
+          @foo.id.to_s => {
            :position => "2",
            :name => "Foo",
            :active => "0"