-
Notifications
You must be signed in to change notification settings - Fork 10
Open
Description
I'm getting a mass-assignment warning on version 1.0.
log file:
Redirected to https://redmineserver/pgp
WARNING: Can't mass-assign protected attributes for Pgpkey: user_id, fpr, secret
Looking at the pgpkeys database table, only NULLs are inserted for user_id, fpr, and secret.
Reloading the page for a user results in no key apparently loaded even though the flash showed success. Looking at the GPG key chain, shows the user key in there.
Updating models/pgpkey.rb to:
class Pgpkey < ActiveRecord::Base
unloadable
attr_accessible :user_id,:fpr,:secret
....
solves the problem and loads the database appropriately.
Environment:
Redmine version 3.0.1.stable
Ruby version 1.9.3-p484 (2013-11-22) [x86_64-linux]
Rails version 4.2.0
Environment production
Database adapter PostgreSQL
SCM:
Git 1.9.1
Filesystem
Xitolite 1.9.1
Redmine plugins:
openpgp 1.0
projects_table 0.0.4
redmine_banner 0.1.1
redmine_bootstrap_kit 0.2.4
redmine_ckeditor 1.1.3
redmine_git_hosting 1.2-devel
redmine_per_project_formatting 0.0.4
redmine_wiki_extensions 0.7.0
userproj 0.0.1
wiki_latex 0.1.0
Activity
timegrid commentedon Mar 18, 2017
Thanks for filing the report. I can't reproduce this behavior with:
Also another environment with Rails 4.2.3 is missing those symptoms, and without a deeper look I suspect Rails to be the cause for it.
What causes this message exactly? The context suggests, you tried to save a public pgp key as a normal user.
As I understand, your solution would be less secure without further checks on the user input, so I won't include it without.
On the other hand you might consider to upgrade redmine, as your version is quite old and possibly insecure (see Security Advisories).