From 04ccf9987b4a83495999c99f7a67c38b2fab67f4 Mon Sep 17 00:00:00 2001
From: Louise Crow <louise.crow@gmail.com>
Date: Tue, 9 Sep 2014 18:48:55 +0100
Subject: Whitelist user controller signup params

---
 spec/controllers/user_controller_spec.rb | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'spec/controllers/user_controller_spec.rb')

diff --git a/spec/controllers/user_controller_spec.rb b/spec/controllers/user_controller_spec.rb
index cf361d898..e9510ec0d 100644
--- a/spec/controllers/user_controller_spec.rb
+++ b/spec/controllers/user_controller_spec.rb
@@ -327,6 +327,17 @@ describe UserController, "when signing up" do
         deliveries[0].body.should match(/when\s+you\s+already\s+have\s+an/)
     end
 
+    it 'accepts only whitelisted parameters' do
+      post :signup, { :user_signup => { :email => 'silly@localhost',
+                                        :name => 'New Person',
+                                        :password => 'sillypassword',
+                                        :password_confirmation => 'sillypassword',
+                                        :admin_level => 'super' } }
+
+      expect(assigns(:user_signup).admin_level).to eq('none')
+    end
+
+
     # XXX need to do bob@localhost signup and check that sends different email
 end
 
-- 
cgit v1.2.3