Merge branch 'fix_template_leak' into 'master'

Fix template params leak in mail with template Closes #210 See merge request !992

Merge branch 'fix_template_leak' into 'master'
Fix template params leak in mail with template Closes #210 See merge request !992
Victor Costa
2 parents a0194228 1253d22d
Showing 2 changed files with 11 additions and 1 deletions Show diff stats
app/helpers/email_template_helper.rb
test/unit/user_mailer_test.rb
@@ -6,7 +6,7 @@ module EmailTemplateHelper
       params[:subject] = params[:email_template].parsed_subject(params[:template_params])
       params[:content_type] = "text/html"
     end
-    mail(params.except(:email_template))
+    mail(params.except(:email_template, :template_params))
   end
  
 end
@@ -44,6 +44,16 @@ fast_create(Person))
     assert_equal 'activation template body', mail.body.to_s
   end
  
+  should 'not leak template params into activation email' do
+    EmailTemplate.create!(:template_type => :user_activation, :name => 'template1', :subject => 'activation template subject', :body => 'activation template body', :owner => Environment.default)
+    assert_difference 'ActionMailer::Base.deliveries.size' do
+      u = create_user('some-user')
+      UserMailer.activation_code(u).deliver
+    end
+    mail = ActionMailer::Base.deliveries.last
+    assert_nil mail['template-params']
+  end
+
   private
  
     def read_fixture(action)
...	...	@@ -6,7 +6,7 @@ module EmailTemplateHelper
6	6	params[:subject] = params[:email_template].parsed_subject(params[:template_params])
7	7	params[:content_type] = "text/html"
8	8	end
9		- mail(params.except(:email_template))
	9	+ mail(params.except(:email_template, :template_params))
10	10	end
11	11
12	12	end
...	...
...	...	@@ -44,6 +44,16 @@ fast_create(Person))
44	44	assert_equal 'activation template body', mail.body.to_s
45	45	end
46	46
	47	+ should 'not leak template params into activation email' do
	48	+ EmailTemplate.create!(:template_type => :user_activation, :name => 'template1', :subject => 'activation template subject', :body => 'activation template body', :owner => Environment.default)
	49	+ assert_difference 'ActionMailer::Base.deliveries.size' do
	50	+ u = create_user('some-user')
	51	+ UserMailer.activation_code(u).deliver
	52	+ end
	53	+ mail = ActionMailer::Base.deliveries.last
	54	+ assert_nil mail['template-params']
	55	+ end
	56	+
47	57	private
48	58
49	59	def read_fixture(action)
...	...