Whitelist UserController#signup params0.13.0.5 hotfix/0.13.0.5

Protects from mass-assignment exploit attempts
author: Gareth Rees <gareth@mysociety.org> 2014-09-09 14:58:27 +0100
committer: Gareth Rees <gareth@mysociety.org> 2014-09-09 20:21:18 +0100
commit: cf62c3e58595ef2fac2f7ec49304fd827ecbd854 (patch)
tree: 34f1b84eb1c9428b7d86770fa2c37964a1257225 /spec/controllers
parent: 9f9f60106e8e65a5fd7ba5c979e87c03413518f1 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/spec/controllers/user_controller_spec.rb b/spec/controllers/user_controller_spec.rb
index 0033309a5..442a75269 100644
--- a/spec/controllers/user_controller_spec.rb
+++ b/spec/controllers/user_controller_spec.rb
@@ -292,6 +292,16 @@ describe UserController, "when signing up" do
         deliveries[0].body.should match(/when\s+you\s+already\s+have\s+an/)
     end
 
+    it 'accepts only whitelisted parameters' do
+      post :signup, { :user_signup => { :email => 'silly@localhost',
+                                        :name => 'New Person',
+                                        :password => 'sillypassword',
+                                        :password_confirmation => 'sillypassword',
+                                        :admin_level => 'super' } }
+
+      expect(assigns(:user_signup).admin_level).to eq('none')
+    end
+
     # XXX need to do bob@localhost signup and check that sends different email
 end
author	Gareth Rees <gareth@mysociety.org>	2014-09-09 14:58:27 +0100
committer	Gareth Rees <gareth@mysociety.org>	2014-09-09 20:21:18 +0100
commit	cf62c3e58595ef2fac2f7ec49304fd827ecbd854 (patch)
tree	34f1b84eb1c9428b7d86770fa2c37964a1257225 /spec/controllers
parent	9f9f60106e8e65a5fd7ba5c979e87c03413518f1 (diff)