Nemcio/Redmine
1
0
Fork 0
mirror of https://github.com/redmine/redmine.git synced 2025-11-07 13:55:52 +01:00
Code Issues Packages Projects Releases Activity

Handle admin and login with safe_attributes.

Browse Source 
git-svn-id: http://svn.redmine.org/redmine/trunk@15663 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang
2016-07-14 11:56:39 +00:00
parent 26c5459de7
commit c55dd52b07
3 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/account_controller.rb
View File

@@ -137,7 +137,6 @@ class AccountController < ApplicationController
redirect_to my_account_path
end
else
@user.login = params[:user][:login]
unless user_params[:identity_url].present? && user_params[:password].blank? && user_params[:password_confirmation].blank?
@user.password, @user.password_confirmation = user_params[:password], user_params[:password_confirmation]
end

6
app/controllers/users_controller.rb
View File

@@ -87,10 +87,8 @@ class UsersController < ApplicationController
end
def create
@user = User.new(:language => Setting.default_language, :mail_notification => Setting.default_notification_option)
@user = User.new(:language => Setting.default_language, :mail_notification => Setting.default_notification_option, :admin => false)
@user.safe_attributes = params[:user]
@user.admin = params[:user][:admin] || false
@user.login = params[:user][:login]
@user.password, @user.password_confirmation = params[:user][:password], params[:user][:password_confirmation] unless @user.auth_source_id
@user.pref.attributes = params[:pref] if params[:pref]
@@ -127,8 +125,6 @@ class UsersController < ApplicationController
end
def update
@user.admin = params[:user][:admin] if params[:user][:admin]
@user.login = params[:user][:login] if params[:user][:login]
if params[:user][:password].present? && (@user.auth_source_id.nil? || params[:user][:auth_source_id].blank?)
@user.password, @user.password_confirmation = params[:user][:password], params[:user][:password_confirmation]
end

7
app/models/user.rb
View File

@@ -100,7 +100,7 @@ class User < Principal
attr_accessor :remote_ip
# Prevents unauthorized assignments
attr_protected :login, :admin, :password, :password_confirmation, :hashed_password
attr_protected :password, :password_confirmation, :hashed_password
LOGIN_LENGTH_LIMIT = 60
MAIL_LENGTH_LIMIT = 60
@@ -696,10 +696,15 @@ class User < Principal
'custom_fields',
'identity_url'
safe_attributes 'login',
:if => lambda {|user, current_user| user.new_record?}
safe_attributes 'status',
'auth_source_id',
'generate_password',
'must_change_passwd',
'login',
'admin',
:if => lambda {|user, current_user| current_user.admin?}
safe_attributes 'group_ids',