more protection against mass assignment

13 years ago · 928720f6b6
parent 56301694c3
commit 928720f6b6
6 changed files with 11 additions and 4 deletions
--- a/app/models/cost_type.rb
+++ b/app/models/cost_type.rb
@ -8,6 +8,8 @@ class CostType < ActiveRecord::Base
  after_update :save_rates
  attr_accessible :name, :unit, :unit_plural, :default, :new_rate_attributes
  named_scope :active, :conditions => { :deleted_at => nil }
  # finds the default CostType
--- a/app/models/group_user.rb
+++ b/app/models/group_user.rb
@ -3,6 +3,8 @@ class GroupUser < ActiveRecord::Base
  belongs_to :user
  belongs_to :group
  attr_accessible :user, :group, :membership_type
  MEMBERSHIP_TYPES = %w(default controller)
  DEFAULT_MEMBERSHIP_TYPE = :default
--- a/app/models/labor_budget_item.rb
+++ b/app/models/labor_budget_item.rb
@ -5,6 +5,7 @@ class LaborBudgetItem < ActiveRecord::Base
  validates_length_of :comments, :maximum => 255, :allow_nil => true
  validates_presence_of :user
  # user_id correctness is ensured in VariableCostObject#*_labor_budget_item_attributes=
  attr_accessible :hours, :comments, :budget, :user_id
  def costs
--- a/app/models/material_budget_item.rb
+++ b/app/models/material_budget_item.rb
@ -5,7 +5,7 @@ class MaterialBudgetItem < ActiveRecord::Base
  validates_length_of :comments, :maximum => 255, :allow_nil => true
  validates_presence_of :cost_type
-  attr_accessible :units, :comments, :budget, :cost_type_id
+  attr_accessible :units, :comments, :budget, :cost_type, :cost_type_id
  def costs
    self.budget || self.calculated_costs
--- a/app/models/variable_cost_object.rb
+++ b/app/models/variable_cost_object.rb
@ -119,7 +119,9 @@ class VariableCostObject < CostObject
  def new_labor_budget_item_attributes=(labor_budget_item_attributes)
    labor_budget_item_attributes.each do |index, attributes|
-      labor_budget_items.build(attributes) if attributes[:hours].to_i > 0 && attributes[:user_id].to_i > 0
+      if attributes[:hours].to_i > 0 && attributes[:user_id].to_i > 0 && project.assignable_users.map(&:id).include?(attributes[:user_id].to_i)
        labor_budget_items.build(attributes)
      end
    end
  end
@ -127,7 +129,7 @@ class VariableCostObject < CostObject
    labor_budget_items.reject(&:new_record?).each do |labor_budget_item|
      attributes = labor_budget_item_attributes[labor_budget_item.id.to_s]
      if User.current.allowed_to? :edit_cost_objects, labor_budget_item.cost_object.project
-        if attributes && attributes[:hours].to_i > 0 && attributes[:user_id].to_i > 0
+        if attributes && attributes[:hours].to_i > 0 && attributes[:user_id].to_i > 0 && project.assignable_users.map(&:id).include?(attributes[:user_id].to_i)
          attributes[:budget] = Rate.clean_currency(attributes[:budget])
          labor_budget_item.attributes = attributes
        else
--- a/lib/costs_groups_controller_patch.rb
+++ b/lib/costs_groups_controller_patch.rb
@ -19,7 +19,7 @@ module CostsGroupsControllerPatch
      # following three lines added/changed to original function
      membership_type = params[:membership_type] || "default"
      groups_users = users.each do |u|
-        @group.groups_users.create!(:user_id => u.id, :membership_type => membership_type)
+        @group.groups_users.create!(:user => u, :membership_type => membership_type)
      end
      respond_to do |format|