Commit 3c132f2e6896c7c1aa787ddc61ae230d9a205700
Exists in
master
and in
4 other branches
Merge pull request #1561 from dosire/mass_assignment
Protect users projects_limit from mass assignment.
Showing
3 changed files
with
32 additions
and
5 deletions
Show diff stats
app/controllers/admin/users_controller.rb
| ... | ... | @@ -30,7 +30,7 @@ class Admin::UsersController < AdminController |
| 30 | 30 | |
| 31 | 31 | |
| 32 | 32 | def new |
| 33 | - @admin_user = User.new(projects_limit: Gitlab.config.default_projects_limit) | |
| 33 | + @admin_user = User.new({ projects_limit: Gitlab.config.default_projects_limit }, as: :admin) | |
| 34 | 34 | end |
| 35 | 35 | |
| 36 | 36 | def edit |
| ... | ... | @@ -60,7 +60,7 @@ class Admin::UsersController < AdminController |
| 60 | 60 | def create |
| 61 | 61 | admin = params[:user].delete("admin") |
| 62 | 62 | |
| 63 | - @admin_user = User.new(params[:user]) | |
| 63 | + @admin_user = User.new(params[:user], as: :admin) | |
| 64 | 64 | @admin_user.admin = (admin && admin.to_i > 0) |
| 65 | 65 | |
| 66 | 66 | respond_to do |format| |
| ... | ... | @@ -86,7 +86,7 @@ class Admin::UsersController < AdminController |
| 86 | 86 | @admin_user.admin = (admin && admin.to_i > 0) |
| 87 | 87 | |
| 88 | 88 | respond_to do |format| |
| 89 | - if @admin_user.update_attributes(params[:user]) | |
| 89 | + if @admin_user.update_attributes(params[:user], as: :admin) | |
| 90 | 90 | format.html { redirect_to [:admin, @admin_user], notice: 'User was successfully updated.' } |
| 91 | 91 | format.json { head :ok } |
| 92 | 92 | else | ... | ... |
app/models/user.rb
| ... | ... | @@ -6,8 +6,9 @@ class User < ActiveRecord::Base |
| 6 | 6 | :recoverable, :rememberable, :trackable, :validatable, :omniauthable |
| 7 | 7 | |
| 8 | 8 | attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, |
| 9 | - :name, :projects_limit, :skype, :linkedin, :twitter, :dark_scheme, | |
| 10 | - :theme_id, :force_random_password, :extern_uid, :provider | |
| 9 | + :name, :skype, :linkedin, :twitter, :dark_scheme, | |
| 10 | + :theme_id, :force_random_password, :extern_uid, :provider, :as => [:default, :admin] | |
| 11 | + attr_accessible :projects_limit, :as => :admin | |
| 11 | 12 | |
| 12 | 13 | attr_accessor :force_random_password |
| 13 | 14 | ... | ... |
spec/models/user_spec.rb
| ... | ... | @@ -73,4 +73,30 @@ describe User do |
| 73 | 73 | user.authentication_token.should_not be_blank |
| 74 | 74 | end |
| 75 | 75 | end |
| 76 | + | |
| 77 | + describe "attributes can be changed by a regular user" do | |
| 78 | + before do | |
| 79 | + @user = Factory :user | |
| 80 | + @user.update_attributes(skype: "testskype", linkedin: "testlinkedin") | |
| 81 | + end | |
| 82 | + it { @user.skype.should == 'testskype' } | |
| 83 | + it { @user.linkedin.should == 'testlinkedin' } | |
| 84 | + end | |
| 85 | + | |
| 86 | + describe "attributes that shouldn't be changed by a regular user" do | |
| 87 | + before do | |
| 88 | + @user = Factory :user | |
| 89 | + @user.update_attributes(projects_limit: 50) | |
| 90 | + end | |
| 91 | + it { @user.projects_limit.should_not == 50 } | |
| 92 | + end | |
| 93 | + | |
| 94 | + describe "attributes can be changed by an admin user" do | |
| 95 | + before do | |
| 96 | + @admin_user = Factory :admin | |
| 97 | + @admin_user.update_attributes({ skype: "testskype", projects_limit: 50 }, as: :admin) | |
| 98 | + end | |
| 99 | + it { @admin_user.skype.should == 'testskype' } | |
| 100 | + it { @admin_user.projects_limit.should == 50 } | |
| 101 | + end | |
| 76 | 102 | end | ... | ... |