|
|
|
@ -27,7 +27,7 @@ |
|
|
|
|
# See doc/COPYRIGHT.rdoc for more details. |
|
|
|
|
#++ |
|
|
|
|
|
|
|
|
|
class PermittedParams < Struct.new(:params, :user) |
|
|
|
|
class PermittedParams < Struct.new(:params, :current_user) |
|
|
|
|
|
|
|
|
|
# This class intends to provide a method for all params hashes coming from the |
|
|
|
|
# client and that are used for mass assignment. |
|
|
|
@ -184,18 +184,37 @@ class PermittedParams < Struct.new(:params, :user) |
|
|
|
|
|
|
|
|
|
alias :update_work_package :new_work_package |
|
|
|
|
|
|
|
|
|
def user |
|
|
|
|
permitted_params = params.require(:user).permit(*self.class.permitted_attributes[:user]) |
|
|
|
|
permitted_params.merge!(custom_field_values(:user)) |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
def user_update_as_admin |
|
|
|
|
if user.admin? |
|
|
|
|
permitted_params = params.require(:user).permit(:firstname, |
|
|
|
|
:lastname, |
|
|
|
|
:mail, |
|
|
|
|
:mail_notification, |
|
|
|
|
:language, |
|
|
|
|
:custom_fields, |
|
|
|
|
:identity_url, |
|
|
|
|
:auth_source_id, |
|
|
|
|
if current_user.admin? |
|
|
|
|
allowed_params = self.class.permitted_attributes[:user] + \ |
|
|
|
|
[ :auth_source_id, |
|
|
|
|
:force_password_change, |
|
|
|
|
:group_ids => []) |
|
|
|
|
# Found these in safe_attributes and added them here as I |
|
|
|
|
# didn't know the consequences of removing these. |
|
|
|
|
# They were not allowed on update. |
|
|
|
|
:group_ids => []] |
|
|
|
|
|
|
|
|
|
permitted_params = params.require(:user).permit(*allowed_params) |
|
|
|
|
permitted_params.merge!(custom_field_values(:user)) |
|
|
|
|
|
|
|
|
|
permitted_params |
|
|
|
|
else |
|
|
|
|
params.require(:user).permit() |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
def user_create_as_admin |
|
|
|
|
if current_user.admin? |
|
|
|
|
allowed_params = self.class.permitted_attributes[:user] + \ |
|
|
|
|
[ :auth_source_id, |
|
|
|
|
:force_password_change] |
|
|
|
|
|
|
|
|
|
permitted_params = params.require(:user).permit(*allowed_params) |
|
|
|
|
permitted_params.merge!(custom_field_values(:user)) |
|
|
|
|
|
|
|
|
|
permitted_params |
|
|
|
@ -255,7 +274,7 @@ class PermittedParams < Struct.new(:params, :user) |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
def permitted_attributes(key, additions = {}) |
|
|
|
|
merged_args = { :params => params, :user => user }.merge(additions) |
|
|
|
|
merged_args = { :params => params, :current_user => current_user }.merge(additions) |
|
|
|
|
|
|
|
|
|
self.class.permitted_attributes[key].map do |permission| |
|
|
|
|
if permission.respond_to?(:call) |
|
|
|
@ -346,7 +365,7 @@ class PermittedParams < Struct.new(:params, :user) |
|
|
|
|
# avoid costly allowed_to? if the param is not there at all |
|
|
|
|
if args[:params]["work_package"] && |
|
|
|
|
args[:params]["work_package"].has_key?("watcher_user_ids") && |
|
|
|
|
args[:user].allowed_to?(:add_work_package_watchers, args[:project]) |
|
|
|
|
args[:current_user].allowed_to?(:add_work_package_watchers, args[:project]) |
|
|
|
|
|
|
|
|
|
{ :watcher_user_ids => [] } |
|
|
|
|
end |
|
|
|
@ -355,7 +374,7 @@ class PermittedParams < Struct.new(:params, :user) |
|
|
|
|
# avoid costly allowed_to? if the param is not there at all |
|
|
|
|
if args[:params]["work_package"] && |
|
|
|
|
args[:params]["work_package"].has_key?("time_entry") && |
|
|
|
|
args[:user].allowed_to?(:log_time, args[:project]) |
|
|
|
|
args[:current_user].allowed_to?(:log_time, args[:project]) |
|
|
|
|
|
|
|
|
|
{ time_entry: [:hours, :activity_id, :comments] } |
|
|
|
|
end |
|
|
|
@ -384,7 +403,7 @@ class PermittedParams < Struct.new(:params, :user) |
|
|
|
|
# avoid costly allowed_to? if the param is not there at all |
|
|
|
|
if args[:params]["planning_element"] && |
|
|
|
|
args[:params]["planning_element"].has_key?("watcher_user_ids") && |
|
|
|
|
args[:user].allowed_to?(:add_work_package_watchers, args[:project]) |
|
|
|
|
args[:current_user].allowed_to?(:add_work_package_watchers, args[:project]) |
|
|
|
|
|
|
|
|
|
{ :watcher_user_ids => [] } |
|
|
|
|
end |
|
|
|
@ -393,7 +412,7 @@ class PermittedParams < Struct.new(:params, :user) |
|
|
|
|
# avoid costly allowed_to? if the param is not there at all |
|
|
|
|
if args[:params]["planning_element"] && |
|
|
|
|
args[:params]["planning_element"].has_key?("time_entry") && |
|
|
|
|
args[:user].allowed_to?(:log_time, args[:project]) |
|
|
|
|
args[:current_user].allowed_to?(:log_time, args[:project]) |
|
|
|
|
|
|
|
|
|
{ time_entry: [:hours, :activity_id, :comments] } |
|
|
|
|
end |
|
|
|
@ -443,6 +462,14 @@ class PermittedParams < Struct.new(:params, :user) |
|
|
|
|
:color_id, |
|
|
|
|
:project_ids => [], |
|
|
|
|
:custom_field_ids => [] ], |
|
|
|
|
:user => [ |
|
|
|
|
:firstname, |
|
|
|
|
:lastname, |
|
|
|
|
:mail, |
|
|
|
|
:mail_notification, |
|
|
|
|
:language, |
|
|
|
|
:custom_fields, |
|
|
|
|
:identity_url ], |
|
|
|
|
:wiki_page => [ |
|
|
|
|
:title, |
|
|
|
|
:parent_id, |
|
|
|
|