Commit 1253d22d5e05d379eb8f4e605d39e62eb91f4773
1 parent
4a9f3410
Exists in
staging
and in
4 other branches
Fix template params leak in mail with template
Closes #210
Showing
2 changed files
with
11 additions
and
1 deletions
Show diff stats
app/helpers/email_template_helper.rb
| @@ -6,7 +6,7 @@ module EmailTemplateHelper | @@ -6,7 +6,7 @@ module EmailTemplateHelper | ||
| 6 | params[:subject] = params[:email_template].parsed_subject(params[:template_params]) | 6 | params[:subject] = params[:email_template].parsed_subject(params[:template_params]) |
| 7 | params[:content_type] = "text/html" | 7 | params[:content_type] = "text/html" |
| 8 | end | 8 | end |
| 9 | - mail(params.except(:email_template)) | 9 | + mail(params.except(:email_template, :template_params)) |
| 10 | end | 10 | end |
| 11 | 11 | ||
| 12 | end | 12 | end |
test/unit/user_mailer_test.rb
| @@ -44,6 +44,16 @@ fast_create(Person)) | @@ -44,6 +44,16 @@ fast_create(Person)) | ||
| 44 | assert_equal 'activation template body', mail.body.to_s | 44 | assert_equal 'activation template body', mail.body.to_s |
| 45 | end | 45 | end |
| 46 | 46 | ||
| 47 | + should 'not leak template params into activation email' do | ||
| 48 | + EmailTemplate.create!(:template_type => :user_activation, :name => 'template1', :subject => 'activation template subject', :body => 'activation template body', :owner => Environment.default) | ||
| 49 | + assert_difference 'ActionMailer::Base.deliveries.size' do | ||
| 50 | + u = create_user('some-user') | ||
| 51 | + UserMailer.activation_code(u).deliver | ||
| 52 | + end | ||
| 53 | + mail = ActionMailer::Base.deliveries.last | ||
| 54 | + assert_nil mail['template-params'] | ||
| 55 | + end | ||
| 56 | + | ||
| 47 | private | 57 | private |
| 48 | 58 | ||
| 49 | def read_fixture(action) | 59 | def read_fixture(action) |