Whitelist UserController#signup params0.19.0.3 hotfix/0.19.0.3

Protects from mass-assignment exploit attempts
author: Gareth Rees <gareth@mysociety.org> 2014-09-09 14:58:27 +0100
committer: Gareth Rees <gareth@mysociety.org> 2014-09-09 14:58:27 +0100
commit: 9eda544f43ea1df1d824674c22275a88daa8dedb (patch)
tree: 8ba17275f375e433425e2042e2f04d7e6d1ca4d1 /app/controllers/user_controller.rb
parent: f1a2b5e46f59205877c3b2013f76b1072e0fe201 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index fcc500e06..f23343ddb 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -199,7 +199,7 @@ class UserController < ApplicationController
         work_out_post_redirect
         @request_from_foreign_country = country_from_ip != AlaveteliConfiguration::iso_country_code
         # Make the user and try to save it
-        @user_signup = User.new(params[:user_signup])
+        @user_signup = User.new(user_params(:user_signup))
         error = false
         if @request_from_foreign_country && !verify_recaptcha
             flash.now[:error] = _("There was an error with the words you entered, please try again.")
@@ -601,6 +601,10 @@ class UserController < ApplicationController
 
     private
 
+    def user_params(key = :user)
+        params[key].slice(:name, :email, :password, :password_confirmation)
+    end
+
     def is_modal_dialog
         (params[:modal].to_i != 0)
     end
author	Gareth Rees <gareth@mysociety.org>	2014-09-09 14:58:27 +0100
committer	Gareth Rees <gareth@mysociety.org>	2014-09-09 14:58:27 +0100
commit	9eda544f43ea1df1d824674c22275a88daa8dedb (patch)
tree	8ba17275f375e433425e2042e2f04d7e6d1ca4d1 /app/controllers/user_controller.rb
parent	f1a2b5e46f59205877c3b2013f76b1072e0fe201 (diff)