Whitelist UserController#signup params0.19.0.3 hotfix/0.19.0.3

Protects from mass-assignment exploit attempts
author: Gareth Rees <gareth@mysociety.org> 2014-09-09 14:58:27 +0100
committer: Gareth Rees <gareth@mysociety.org> 2014-09-09 14:58:27 +0100
commit: 9eda544f43ea1df1d824674c22275a88daa8dedb (patch)
tree: 8ba17275f375e433425e2042e2f04d7e6d1ca4d1 /spec/controllers/user_controller_spec.rb
parent: f1a2b5e46f59205877c3b2013f76b1072e0fe201 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/spec/controllers/user_controller_spec.rb b/spec/controllers/user_controller_spec.rb
index 6ecdf1ad4..e4854fe6b 100644
--- a/spec/controllers/user_controller_spec.rb
+++ b/spec/controllers/user_controller_spec.rb
@@ -327,6 +327,16 @@ describe UserController, "when signing up" do
         deliveries[0].body.should match(/when\s+you\s+already\s+have\s+an/)
     end
 
+    it 'accepts only whitelisted parameters' do
+      post :signup, { :user_signup => { :email => 'silly@localhost',
+                                        :name => 'New Person',
+                                        :password => 'sillypassword',
+                                        :password_confirmation => 'sillypassword',
+                                        :admin_level => 'super' } }
+
+      expect(assigns(:user_signup).admin_level).to eq('none')
+    end
+
     # TODO: need to do bob@localhost signup and check that sends different email
 end
author	Gareth Rees <gareth@mysociety.org>	2014-09-09 14:58:27 +0100
committer	Gareth Rees <gareth@mysociety.org>	2014-09-09 14:58:27 +0100
commit	9eda544f43ea1df1d824674c22275a88daa8dedb (patch)
tree	8ba17275f375e433425e2042e2f04d7e6d1ca4d1 /spec/controllers/user_controller_spec.rb
parent	f1a2b5e46f59205877c3b2013f76b1072e0fe201 (diff)