Whitelist UserController#signup params0.15.0.3 hotfix/0.15.0.3

Protects from mass-assignment exploit attempts
author: Gareth Rees <gareth@mysociety.org> 2014-09-09 14:58:27 +0100
committer: Gareth Rees <gareth@mysociety.org> 2014-09-09 20:19:25 +0100
commit: fbb25bdb29fcbbf982e5b1fa65ac87cabf838116 (patch)
tree: d81bdd30a411be6c1d79f524997e6b74d1472fd5 /spec/controllers/user_controller_spec.rb
parent: 4eb8432dedc8b521086cdf163ebe5d373396d39a (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/spec/controllers/user_controller_spec.rb b/spec/controllers/user_controller_spec.rb
index 0033309a5..442a75269 100644
--- a/spec/controllers/user_controller_spec.rb
+++ b/spec/controllers/user_controller_spec.rb
@@ -292,6 +292,16 @@ describe UserController, "when signing up" do
         deliveries[0].body.should match(/when\s+you\s+already\s+have\s+an/)
     end
 
+    it 'accepts only whitelisted parameters' do
+      post :signup, { :user_signup => { :email => 'silly@localhost',
+                                        :name => 'New Person',
+                                        :password => 'sillypassword',
+                                        :password_confirmation => 'sillypassword',
+                                        :admin_level => 'super' } }
+
+      expect(assigns(:user_signup).admin_level).to eq('none')
+    end
+
     # XXX need to do bob@localhost signup and check that sends different email
 end
author	Gareth Rees <gareth@mysociety.org>	2014-09-09 14:58:27 +0100
committer	Gareth Rees <gareth@mysociety.org>	2014-09-09 20:19:25 +0100
commit	fbb25bdb29fcbbf982e5b1fa65ac87cabf838116 (patch)
tree	d81bdd30a411be6c1d79f524997e6b74d1472fd5 /spec/controllers/user_controller_spec.rb
parent	4eb8432dedc8b521086cdf163ebe5d373396d39a (diff)