Commit 3c132f2e6896c7c1aa787ddc61ae230d9a205700
Exists in
master
and in
4 other branches
Merge pull request #1561 from dosire/mass_assignment
Protect users projects_limit from mass assignment.
Showing
3 changed files
with
32 additions
and
5 deletions
Show diff stats
app/controllers/admin/users_controller.rb
| @@ -30,7 +30,7 @@ class Admin::UsersController < AdminController | @@ -30,7 +30,7 @@ class Admin::UsersController < AdminController | ||
| 30 | 30 | ||
| 31 | 31 | ||
| 32 | def new | 32 | def new |
| 33 | - @admin_user = User.new(projects_limit: Gitlab.config.default_projects_limit) | 33 | + @admin_user = User.new({ projects_limit: Gitlab.config.default_projects_limit }, as: :admin) |
| 34 | end | 34 | end |
| 35 | 35 | ||
| 36 | def edit | 36 | def edit |
| @@ -60,7 +60,7 @@ class Admin::UsersController < AdminController | @@ -60,7 +60,7 @@ class Admin::UsersController < AdminController | ||
| 60 | def create | 60 | def create |
| 61 | admin = params[:user].delete("admin") | 61 | admin = params[:user].delete("admin") |
| 62 | 62 | ||
| 63 | - @admin_user = User.new(params[:user]) | 63 | + @admin_user = User.new(params[:user], as: :admin) |
| 64 | @admin_user.admin = (admin && admin.to_i > 0) | 64 | @admin_user.admin = (admin && admin.to_i > 0) |
| 65 | 65 | ||
| 66 | respond_to do |format| | 66 | respond_to do |format| |
| @@ -86,7 +86,7 @@ class Admin::UsersController < AdminController | @@ -86,7 +86,7 @@ class Admin::UsersController < AdminController | ||
| 86 | @admin_user.admin = (admin && admin.to_i > 0) | 86 | @admin_user.admin = (admin && admin.to_i > 0) |
| 87 | 87 | ||
| 88 | respond_to do |format| | 88 | respond_to do |format| |
| 89 | - if @admin_user.update_attributes(params[:user]) | 89 | + if @admin_user.update_attributes(params[:user], as: :admin) |
| 90 | format.html { redirect_to [:admin, @admin_user], notice: 'User was successfully updated.' } | 90 | format.html { redirect_to [:admin, @admin_user], notice: 'User was successfully updated.' } |
| 91 | format.json { head :ok } | 91 | format.json { head :ok } |
| 92 | else | 92 | else |
app/models/user.rb
| @@ -6,8 +6,9 @@ class User < ActiveRecord::Base | @@ -6,8 +6,9 @@ class User < ActiveRecord::Base | ||
| 6 | :recoverable, :rememberable, :trackable, :validatable, :omniauthable | 6 | :recoverable, :rememberable, :trackable, :validatable, :omniauthable |
| 7 | 7 | ||
| 8 | attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, | 8 | attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, |
| 9 | - :name, :projects_limit, :skype, :linkedin, :twitter, :dark_scheme, | ||
| 10 | - :theme_id, :force_random_password, :extern_uid, :provider | 9 | + :name, :skype, :linkedin, :twitter, :dark_scheme, |
| 10 | + :theme_id, :force_random_password, :extern_uid, :provider, :as => [:default, :admin] | ||
| 11 | + attr_accessible :projects_limit, :as => :admin | ||
| 11 | 12 | ||
| 12 | attr_accessor :force_random_password | 13 | attr_accessor :force_random_password |
| 13 | 14 |
spec/models/user_spec.rb
| @@ -73,4 +73,30 @@ describe User do | @@ -73,4 +73,30 @@ describe User do | ||
| 73 | user.authentication_token.should_not be_blank | 73 | user.authentication_token.should_not be_blank |
| 74 | end | 74 | end |
| 75 | end | 75 | end |
| 76 | + | ||
| 77 | + describe "attributes can be changed by a regular user" do | ||
| 78 | + before do | ||
| 79 | + @user = Factory :user | ||
| 80 | + @user.update_attributes(skype: "testskype", linkedin: "testlinkedin") | ||
| 81 | + end | ||
| 82 | + it { @user.skype.should == 'testskype' } | ||
| 83 | + it { @user.linkedin.should == 'testlinkedin' } | ||
| 84 | + end | ||
| 85 | + | ||
| 86 | + describe "attributes that shouldn't be changed by a regular user" do | ||
| 87 | + before do | ||
| 88 | + @user = Factory :user | ||
| 89 | + @user.update_attributes(projects_limit: 50) | ||
| 90 | + end | ||
| 91 | + it { @user.projects_limit.should_not == 50 } | ||
| 92 | + end | ||
| 93 | + | ||
| 94 | + describe "attributes can be changed by an admin user" do | ||
| 95 | + before do | ||
| 96 | + @admin_user = Factory :admin | ||
| 97 | + @admin_user.update_attributes({ skype: "testskype", projects_limit: 50 }, as: :admin) | ||
| 98 | + end | ||
| 99 | + it { @admin_user.skype.should == 'testskype' } | ||
| 100 | + it { @admin_user.projects_limit.should == 50 } | ||
| 101 | + end | ||
| 76 | end | 102 | end |