diff options
| author | Gareth Rees <gareth@mysociety.org> | 2014-09-09 14:58:27 +0100 |
|---|---|---|
| committer | Gareth Rees <gareth@mysociety.org> | 2014-09-09 14:58:27 +0100 |
| commit | 9eda544f43ea1df1d824674c22275a88daa8dedb (patch) | |
| tree | 8ba17275f375e433425e2042e2f04d7e6d1ca4d1 | |
| parent | f1a2b5e46f59205877c3b2013f76b1072e0fe201 (diff) | |
Whitelist UserController#signup params0.19.0.3hotfix/0.19.0.3
Protects from mass-assignment exploit attempts
| -rw-r--r-- | app/controllers/user_controller.rb | 6 | ||||
| -rw-r--r-- | spec/controllers/user_controller_spec.rb | 10 |
2 files changed, 15 insertions, 1 deletions
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index fcc500e06..f23343ddb 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -199,7 +199,7 @@ class UserController < ApplicationController work_out_post_redirect @request_from_foreign_country = country_from_ip != AlaveteliConfiguration::iso_country_code # Make the user and try to save it - @user_signup = User.new(params[:user_signup]) + @user_signup = User.new(user_params(:user_signup)) error = false if @request_from_foreign_country && !verify_recaptcha flash.now[:error] = _("There was an error with the words you entered, please try again.") @@ -601,6 +601,10 @@ class UserController < ApplicationController private + def user_params(key = :user) + params[key].slice(:name, :email, :password, :password_confirmation) + end + def is_modal_dialog (params[:modal].to_i != 0) end diff --git a/spec/controllers/user_controller_spec.rb b/spec/controllers/user_controller_spec.rb index 6ecdf1ad4..e4854fe6b 100644 --- a/spec/controllers/user_controller_spec.rb +++ b/spec/controllers/user_controller_spec.rb @@ -327,6 +327,16 @@ describe UserController, "when signing up" do deliveries[0].body.should match(/when\s+you\s+already\s+have\s+an/) end + it 'accepts only whitelisted parameters' do + post :signup, { :user_signup => { :email => 'silly@localhost', + :name => 'New Person', + :password => 'sillypassword', + :password_confirmation => 'sillypassword', + :admin_level => 'super' } } + + expect(assigns(:user_signup).admin_level).to eq('none') + end + # TODO: need to do bob@localhost signup and check that sends different email end |