Whitelist UserController#signup params0.16.0.9 hotfix/0.16.0.9

Protects from mass-assignment exploit attempts
author: Gareth Rees <gareth@mysociety.org> 2014-09-09 14:58:27 +0100
committer: Gareth Rees <gareth@mysociety.org> 2014-09-09 20:17:02 +0100
commit: 6eb64e26f7420d392b9df9998da897f4bd9328c9 (patch)
tree: cf24d5a274cfe7004b00805ca5d46151a6fbcebf /spec/controllers
parent: 8e911d5bd0e60a0e0e4859868662cc176419d2e3 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/spec/controllers/user_controller_spec.rb b/spec/controllers/user_controller_spec.rb
index 0033309a5..442a75269 100644
--- a/spec/controllers/user_controller_spec.rb
+++ b/spec/controllers/user_controller_spec.rb
@@ -292,6 +292,16 @@ describe UserController, "when signing up" do
         deliveries[0].body.should match(/when\s+you\s+already\s+have\s+an/)
     end
 
+    it 'accepts only whitelisted parameters' do
+      post :signup, { :user_signup => { :email => 'silly@localhost',
+                                        :name => 'New Person',
+                                        :password => 'sillypassword',
+                                        :password_confirmation => 'sillypassword',
+                                        :admin_level => 'super' } }
+
+      expect(assigns(:user_signup).admin_level).to eq('none')
+    end
+
     # XXX need to do bob@localhost signup and check that sends different email
 end
author	Gareth Rees <gareth@mysociety.org>	2014-09-09 14:58:27 +0100
committer	Gareth Rees <gareth@mysociety.org>	2014-09-09 20:17:02 +0100
commit	6eb64e26f7420d392b9df9998da897f4bd9328c9 (patch)
tree	cf24d5a274cfe7004b00805ca5d46151a6fbcebf /spec/controllers
parent	8e911d5bd0e60a0e0e4859868662cc176419d2e3 (diff)