Whitelist UserController#signup params0.15.0.3 hotfix/0.15.0.3

Protects from mass-assignment exploit attempts
author: Gareth Rees <gareth@mysociety.org> 2014-09-09 14:58:27 +0100
committer: Gareth Rees <gareth@mysociety.org> 2014-09-09 20:19:25 +0100
commit: fbb25bdb29fcbbf982e5b1fa65ac87cabf838116 (patch)
tree: d81bdd30a411be6c1d79f524997e6b74d1472fd5 /app/controllers
parent: 4eb8432dedc8b521086cdf163ebe5d373396d39a (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index 175425280..c2cc426d4 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -196,7 +196,7 @@ class UserController < ApplicationController
         work_out_post_redirect
         @request_from_foreign_country = country_from_ip != AlaveteliConfiguration::iso_country_code
         # Make the user and try to save it
-        @user_signup = User.new(params[:user_signup])
+        @user_signup = User.new(user_params(:user_signup))
         error = false
         if @request_from_foreign_country && !verify_recaptcha
             flash.now[:error] = _("There was an error with the words you entered, please try again.")
@@ -598,6 +598,10 @@ class UserController < ApplicationController
 
     private
 
+    def user_params(key = :user)
+        params[key].slice(:name, :email, :password, :password_confirmation)
+    end
+
     def is_modal_dialog
         (params[:modal].to_i != 0)
     end
author	Gareth Rees <gareth@mysociety.org>	2014-09-09 14:58:27 +0100
committer	Gareth Rees <gareth@mysociety.org>	2014-09-09 20:19:25 +0100
commit	fbb25bdb29fcbbf982e5b1fa65ac87cabf838116 (patch)
tree	d81bdd30a411be6c1d79f524997e6b74d1472fd5 /app/controllers
parent	4eb8432dedc8b521086cdf163ebe5d373396d39a (diff)