Use safe_attributes for issue statuses.

git-svn-id: http://svn.redmine.org/redmine/trunk@15691 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/issue_statuses_controller.rb

@@ -35,7 +35,8 @@ class IssueStatusesController < ApplicationController
   end
 
   def create
-    @issue_status = IssueStatus.new(params[:issue_status])
+    @issue_status = IssueStatus.new
+    @issue_status.safe_attributes = params[:issue_status]
     if @issue_status.save
       flash[:notice] = l(:notice_successful_create)
       redirect_to issue_statuses_path
@@ -50,7 +51,8 @@ class IssueStatusesController < ApplicationController
 
   def update
     @issue_status = IssueStatus.find(params[:id])
-    if @issue_status.update_attributes(params[:issue_status])
+    @issue_status.safe_attributes = params[:issue_status]
+    if @issue_status.save
       respond_to do |format|
         format.html {
           flash[:notice] = l(:notice_successful_update)

app/models/issue_status.rb

@@ -16,6 +16,8 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class IssueStatus < ActiveRecord::Base
+  include Redmine::SafeAttributes
+
   before_destroy :check_integrity
   has_many :workflows, :class_name => 'WorkflowTransition', :foreign_key => "old_status_id"
   has_many :workflow_transitions_as_new_status, :class_name => 'WorkflowTransition', :foreign_key => "new_status_id"
@@ -33,6 +35,11 @@ class IssueStatus < ActiveRecord::Base
   scope :sorted, lambda { order(:position) }
   scope :named, lambda {|arg| where("LOWER(#{table_name}.name) = LOWER(?)", arg.to_s.strip)}
 
+  safe_attributes 'name',
+    'is_closed',
+    'position',
+    'default_done_ratio'
+
   # Update all the +Issues+ setting their done_ratio to the value of their +IssueStatus+
   def self.update_issue_done_ratios
     if Issue.use_status_for_done_ratio?