diff --git a/app/controllers/costlog_controller.rb b/app/controllers/costlog_controller.rb index 6dabac97fb..045aa4c29c 100644 --- a/app/controllers/costlog_controller.rb +++ b/app/controllers/costlog_controller.rb @@ -185,17 +185,17 @@ class CostlogController < ApplicationController end def find_associated_objects - user_id = params[:cost_entry].delete(:user_id) + user_id = cost_entry_params.delete(:user_id) @user = @cost_entry.present? && @cost_entry.user_id == user_id ? @cost_entry.user : User.find_by_id(user_id) - work_package_id = params[:cost_entry].delete(:work_package_id) + work_package_id = cost_entry_params.delete(:work_package_id) @work_package = @cost_entry.present? && @cost_entry.work_package_id == work_package_id ? @cost_entry.work_package : WorkPackage.find_by_id(work_package_id) - cost_type_id = params[:cost_entry].delete(:cost_type_id) + cost_type_id = cost_entry_params.delete(:cost_type_id) @cost_type = @cost_entry.present? && @cost_entry.cost_type_id == cost_type_id ? @cost_entry.cost_type : CostType.find_by_id(cost_type_id) @@ -268,4 +268,10 @@ class CostlogController < ApplicationController @cost_entry.attributes = permitted_params.cost_entry end + +private + def cost_entry_params + params.require(:cost_entry).permit(:work_package_id, :spent_on, :user_id, + :cost_type_id, :units, :comments) + end end diff --git a/lib/open_project/costs/patches/time_entry_patch.rb b/lib/open_project/costs/patches/time_entry_patch.rb index cae29dbd0f..e4e4b2b6d7 100644 --- a/lib/open_project/costs/patches/time_entry_patch.rb +++ b/lib/open_project/costs/patches/time_entry_patch.rb @@ -27,7 +27,6 @@ module OpenProject::Costs::Patches::TimeEntryPatch # Same as typing in the class t.update_costs base.class_eval do belongs_to :rate, -> { where(type: ['HourlyRate', 'DefaultHourlyRate']) }, class_name: 'Rate' - attr_protected :costs, :rate_id scope :visible, lambda { |*args| where(TimeEntry.visible_condition(args[0] || User.current, args[1]))