diff options
| author | Gareth Rees <gareth@mysociety.org> | 2014-09-09 14:58:27 +0100 | 
|---|---|---|
| committer | Gareth Rees <gareth@mysociety.org> | 2014-09-09 20:19:25 +0100 | 
| commit | fbb25bdb29fcbbf982e5b1fa65ac87cabf838116 (patch) | |
| tree | d81bdd30a411be6c1d79f524997e6b74d1472fd5 | |
| parent | 4eb8432dedc8b521086cdf163ebe5d373396d39a (diff) | |
Whitelist UserController#signup params0.15.0.3hotfix/0.15.0.3
Protects from mass-assignment exploit attempts
| -rw-r--r-- | app/controllers/user_controller.rb | 6 | ||||
| -rw-r--r-- | spec/controllers/user_controller_spec.rb | 10 | 
2 files changed, 15 insertions, 1 deletions
| diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index 175425280..c2cc426d4 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -196,7 +196,7 @@ class UserController < ApplicationController          work_out_post_redirect          @request_from_foreign_country = country_from_ip != AlaveteliConfiguration::iso_country_code          # Make the user and try to save it -        @user_signup = User.new(params[:user_signup]) +        @user_signup = User.new(user_params(:user_signup))          error = false          if @request_from_foreign_country && !verify_recaptcha              flash.now[:error] = _("There was an error with the words you entered, please try again.") @@ -598,6 +598,10 @@ class UserController < ApplicationController      private +    def user_params(key = :user) +        params[key].slice(:name, :email, :password, :password_confirmation) +    end +      def is_modal_dialog          (params[:modal].to_i != 0)      end diff --git a/spec/controllers/user_controller_spec.rb b/spec/controllers/user_controller_spec.rb index 0033309a5..442a75269 100644 --- a/spec/controllers/user_controller_spec.rb +++ b/spec/controllers/user_controller_spec.rb @@ -292,6 +292,16 @@ describe UserController, "when signing up" do          deliveries[0].body.should match(/when\s+you\s+already\s+have\s+an/)      end +    it 'accepts only whitelisted parameters' do +      post :signup, { :user_signup => { :email => 'silly@localhost', +                                        :name => 'New Person', +                                        :password => 'sillypassword', +                                        :password_confirmation => 'sillypassword', +                                        :admin_level => 'super' } } + +      expect(assigns(:user_signup).admin_level).to eq('none') +    end +      # XXX need to do bob@localhost signup and check that sends different email  end | 
