Use safe_attributes for auth sources.

git-svn-id: http://svn.redmine.org/redmine/trunk@15692 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-05 04:45:57 +01:00 · 2016-07-17 08:18:26 +00:00
parent cc30a0423e
commit d7a6c09822
2 changed files with 28 additions and 5 deletions
--- a/app/controllers/auth_sources_controller.rb
+++ b/app/controllers/auth_sources_controller.rb
@@ -20,6 +20,7 @@ class AuthSourcesController < ApplicationController
  menu_item :ldap_authentication

  before_action :require_admin
+  before_action :build_new_auth_source, :only => [:new, :create]
  before_action :find_auth_source, :only => [:edit, :update, :test_connection, :destroy]
  require_sudo_mode :update, :destroy

@@ -28,13 +29,9 @@ class AuthSourcesController < ApplicationController
  end

  def new
-    klass_name = params[:type] || 'AuthSourceLdap'
-    @auth_source = AuthSource.new_subclass_instance(klass_name, params[:auth_source])
-    render_404 unless @auth_source
  end

  def create
-    @auth_source = AuthSource.new_subclass_instance(params[:type], params[:auth_source])
    if @auth_source.save
      flash[:notice] = l(:notice_successful_create)
      redirect_to auth_sources_path
@@ -47,7 +44,8 @@ class AuthSourcesController < ApplicationController
  end

  def update
-    if @auth_source.update_attributes(params[:auth_source])
+    @auth_source.safe_attributes = params[:auth_source]
+    if @auth_source.save
      flash[:notice] = l(:notice_successful_update)
      redirect_to auth_sources_path
    else
@@ -89,6 +87,15 @@ class AuthSourcesController < ApplicationController

  private

+  def build_new_auth_source
+    @auth_source = AuthSource.new_subclass_instance(params[:type] || 'AuthSourceLdap')
+    if @auth_source
+      @auth_source.safe_attributes = params[:auth_source]
+    else
+      render_404
+    end
+  end
+
  def find_auth_source
    @auth_source = AuthSource.find(params[:id])
  rescue ActiveRecord::RecordNotFound
--- a/app/models/auth_source.rb
+++ b/app/models/auth_source.rb
@@ -21,6 +21,7 @@ class AuthSourceException < Exception; end
 class AuthSourceTimeoutException < AuthSourceException; end

 class AuthSource < ActiveRecord::Base
+  include Redmine::SafeAttributes
  include Redmine::SubclassFactory
  include Redmine::Ciphering

@@ -31,6 +32,21 @@ class AuthSource < ActiveRecord::Base
  validates_length_of :name, :maximum => 60
  attr_protected :id

+  safe_attributes 'name',
+    'host',
+    'port',
+    'account',
+    'account_password',
+    'base_dn',
+    'attr_login',
+    'attr_firstname',
+    'attr_lastname',
+    'attr_mail',
+    'onthefly_register',
+    'tls',
+    'filter',
+    'timeout'
+
  def authenticate(login, password)
  end