From 928720f6b6823979cbe2b62e51e901e54e9210da Mon Sep 17 00:00:00 2001 From: Martin Linkhorst Date: Mon, 14 May 2012 14:54:41 +0200 Subject: [PATCH] more protection against mass assignment --- app/models/cost_type.rb | 2 ++ app/models/group_user.rb | 2 ++ app/models/labor_budget_item.rb | 1 + app/models/material_budget_item.rb | 2 +- app/models/variable_cost_object.rb | 6 ++++-- lib/costs_groups_controller_patch.rb | 2 +- 6 files changed, 11 insertions(+), 4 deletions(-) diff --git a/app/models/cost_type.rb b/app/models/cost_type.rb index dc12c651b4..8e4c275a58 100644 --- a/app/models/cost_type.rb +++ b/app/models/cost_type.rb @@ -8,6 +8,8 @@ class CostType < ActiveRecord::Base after_update :save_rates + attr_accessible :name, :unit, :unit_plural, :default, :new_rate_attributes + named_scope :active, :conditions => { :deleted_at => nil } # finds the default CostType diff --git a/app/models/group_user.rb b/app/models/group_user.rb index b462e9278d..31affea1c3 100644 --- a/app/models/group_user.rb +++ b/app/models/group_user.rb @@ -3,6 +3,8 @@ class GroupUser < ActiveRecord::Base belongs_to :user belongs_to :group + + attr_accessible :user, :group, :membership_type MEMBERSHIP_TYPES = %w(default controller) DEFAULT_MEMBERSHIP_TYPE = :default diff --git a/app/models/labor_budget_item.rb b/app/models/labor_budget_item.rb index 19957cc020..c5cb0a43de 100644 --- a/app/models/labor_budget_item.rb +++ b/app/models/labor_budget_item.rb @@ -5,6 +5,7 @@ class LaborBudgetItem < ActiveRecord::Base validates_length_of :comments, :maximum => 255, :allow_nil => true validates_presence_of :user + # user_id correctness is ensured in VariableCostObject#*_labor_budget_item_attributes= attr_accessible :hours, :comments, :budget, :user_id def costs diff --git a/app/models/material_budget_item.rb b/app/models/material_budget_item.rb index bf813a250c..3b56321db5 100644 --- a/app/models/material_budget_item.rb +++ b/app/models/material_budget_item.rb @@ -5,7 +5,7 @@ class MaterialBudgetItem < ActiveRecord::Base validates_length_of :comments, :maximum => 255, :allow_nil => true validates_presence_of :cost_type - attr_accessible :units, :comments, :budget, :cost_type_id + attr_accessible :units, :comments, :budget, :cost_type, :cost_type_id def costs self.budget || self.calculated_costs diff --git a/app/models/variable_cost_object.rb b/app/models/variable_cost_object.rb index a6b43e8921..cc39da9024 100644 --- a/app/models/variable_cost_object.rb +++ b/app/models/variable_cost_object.rb @@ -119,7 +119,9 @@ class VariableCostObject < CostObject def new_labor_budget_item_attributes=(labor_budget_item_attributes) labor_budget_item_attributes.each do |index, attributes| - labor_budget_items.build(attributes) if attributes[:hours].to_i > 0 && attributes[:user_id].to_i > 0 + if attributes[:hours].to_i > 0 && attributes[:user_id].to_i > 0 && project.assignable_users.map(&:id).include?(attributes[:user_id].to_i) + labor_budget_items.build(attributes) + end end end @@ -127,7 +129,7 @@ class VariableCostObject < CostObject labor_budget_items.reject(&:new_record?).each do |labor_budget_item| attributes = labor_budget_item_attributes[labor_budget_item.id.to_s] if User.current.allowed_to? :edit_cost_objects, labor_budget_item.cost_object.project - if attributes && attributes[:hours].to_i > 0 && attributes[:user_id].to_i > 0 + if attributes && attributes[:hours].to_i > 0 && attributes[:user_id].to_i > 0 && project.assignable_users.map(&:id).include?(attributes[:user_id].to_i) attributes[:budget] = Rate.clean_currency(attributes[:budget]) labor_budget_item.attributes = attributes else diff --git a/lib/costs_groups_controller_patch.rb b/lib/costs_groups_controller_patch.rb index fae19018fc..0ef604d6ab 100644 --- a/lib/costs_groups_controller_patch.rb +++ b/lib/costs_groups_controller_patch.rb @@ -19,7 +19,7 @@ module CostsGroupsControllerPatch # following three lines added/changed to original function membership_type = params[:membership_type] || "default" groups_users = users.each do |u| - @group.groups_users.create!(:user_id => u.id, :membership_type => membership_type) + @group.groups_users.create!(:user => u, :membership_type => membership_type) end respond_to do |format|