Whitelist user controller signup params0.18.0.14 hotfix/0.18.0.14

author: Louise Crow <louise.crow@gmail.com> 2014-09-09 18:48:55 +0100
committer: Louise Crow <louise.crow@gmail.com> 2014-09-09 18:48:55 +0100
commit: 04ccf9987b4a83495999c99f7a67c38b2fab67f4 (patch)
tree: 7f6f4d9483b73d693a4ca4741e76288573408677
parent: ae29addfe3b4cd5ba6d6b04301f9d403c76089d8 (diff)
2 files changed, 16 insertions, 1 deletions
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index 8d6522923..70036341c 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -199,7 +199,7 @@ class UserController < ApplicationController
         work_out_post_redirect
         @request_from_foreign_country = country_from_ip != AlaveteliConfiguration::iso_country_code
         # Make the user and try to save it
-        @user_signup = User.new(params[:user_signup])
+        @user_signup = User.new(user_params(:user_signup))
         error = false
         if @request_from_foreign_country && !verify_recaptcha
             flash.now[:error] = _("There was an error with the words you entered, please try again.")
@@ -601,6 +601,10 @@ class UserController < ApplicationController
 
     private
 
+    def user_params(key = :user)
+        params[key].slice(:name, :email, :password, :password_confirmation)
+    end
+
     def is_modal_dialog
         (params[:modal].to_i != 0)
     end
diff --git a/spec/controllers/user_controller_spec.rb b/spec/controllers/user_controller_spec.rb
index cf361d898..e9510ec0d 100644
--- a/spec/controllers/user_controller_spec.rb
+++ b/spec/controllers/user_controller_spec.rb
@@ -327,6 +327,17 @@ describe UserController, "when signing up" do
         deliveries[0].body.should match(/when\s+you\s+already\s+have\s+an/)
     end
 
+    it 'accepts only whitelisted parameters' do
+      post :signup, { :user_signup => { :email => 'silly@localhost',
+                                        :name => 'New Person',
+                                        :password => 'sillypassword',
+                                        :password_confirmation => 'sillypassword',
+                                        :admin_level => 'super' } }
+
+      expect(assigns(:user_signup).admin_level).to eq('none')
+    end
+
+
     # XXX need to do bob@localhost signup and check that sends different email
 end
author	Louise Crow <louise.crow@gmail.com>	2014-09-09 18:48:55 +0100
committer	Louise Crow <louise.crow@gmail.com>	2014-09-09 18:48:55 +0100
commit	04ccf9987b4a83495999c99f7a67c38b2fab67f4 (patch)
tree	7f6f4d9483b73d693a4ca4741e76288573408677
parent	ae29addfe3b4cd5ba6d6b04301f9d403c76089d8 (diff)