Use safe_attributes for auth sources.

git-svn-id: http://svn.redmine.org/redmine/trunk@15692 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/auth_sources_controller.rb

@@ -20,6 +20,7 @@ class AuthSourcesController < ApplicationController
   menu_item :ldap_authentication
 
   before_action :require_admin
+  before_action :build_new_auth_source, :only => [:new, :create]
   before_action :find_auth_source, :only => [:edit, :update, :test_connection, :destroy]
   require_sudo_mode :update, :destroy
 
@@ -28,13 +29,9 @@ class AuthSourcesController < ApplicationController
   end
 
   def new
-    klass_name = params[:type] || 'AuthSourceLdap'
-    @auth_source = AuthSource.new_subclass_instance(klass_name, params[:auth_source])
-    render_404 unless @auth_source
   end
 
   def create
-    @auth_source = AuthSource.new_subclass_instance(params[:type], params[:auth_source])
     if @auth_source.save
       flash[:notice] = l(:notice_successful_create)
       redirect_to auth_sources_path
@@ -47,7 +44,8 @@ class AuthSourcesController < ApplicationController
   end
 
   def update
-    if @auth_source.update_attributes(params[:auth_source])
+    @auth_source.safe_attributes = params[:auth_source]
+    if @auth_source.save
       flash[:notice] = l(:notice_successful_update)
       redirect_to auth_sources_path
     else
@@ -89,6 +87,15 @@ class AuthSourcesController < ApplicationController
 
   private
 
+  def build_new_auth_source
+    @auth_source = AuthSource.new_subclass_instance(params[:type] || 'AuthSourceLdap')
+    if @auth_source
+      @auth_source.safe_attributes = params[:auth_source]
+    else
+      render_404
+    end
+  end
+
   def find_auth_source
     @auth_source = AuthSource.find(params[:id])
   rescue ActiveRecord::RecordNotFound