Commit 5928388b1c5b41cf11471391b3ec6226167132fd
1 parent
8ec95642
Exists in
master
and in
4 other branches
Protect users projects_limit from mass assignment.
Showing
3 changed files
with
32 additions
and
5 deletions
Show diff stats
app/controllers/admin/users_controller.rb
@@ -30,7 +30,7 @@ class Admin::UsersController < AdminController | @@ -30,7 +30,7 @@ class Admin::UsersController < AdminController | ||
30 | 30 | ||
31 | 31 | ||
32 | def new | 32 | def new |
33 | - @admin_user = User.new(projects_limit: Gitlab.config.default_projects_limit) | 33 | + @admin_user = User.new({ projects_limit: Gitlab.config.default_projects_limit }, as: :admin) |
34 | end | 34 | end |
35 | 35 | ||
36 | def edit | 36 | def edit |
@@ -60,7 +60,7 @@ class Admin::UsersController < AdminController | @@ -60,7 +60,7 @@ class Admin::UsersController < AdminController | ||
60 | def create | 60 | def create |
61 | admin = params[:user].delete("admin") | 61 | admin = params[:user].delete("admin") |
62 | 62 | ||
63 | - @admin_user = User.new(params[:user]) | 63 | + @admin_user = User.new(params[:user], as: :admin) |
64 | @admin_user.admin = (admin && admin.to_i > 0) | 64 | @admin_user.admin = (admin && admin.to_i > 0) |
65 | 65 | ||
66 | respond_to do |format| | 66 | respond_to do |format| |
@@ -86,7 +86,7 @@ class Admin::UsersController < AdminController | @@ -86,7 +86,7 @@ class Admin::UsersController < AdminController | ||
86 | @admin_user.admin = (admin && admin.to_i > 0) | 86 | @admin_user.admin = (admin && admin.to_i > 0) |
87 | 87 | ||
88 | respond_to do |format| | 88 | respond_to do |format| |
89 | - if @admin_user.update_attributes(params[:user]) | 89 | + if @admin_user.update_attributes(params[:user], as: :admin) |
90 | format.html { redirect_to [:admin, @admin_user], notice: 'User was successfully updated.' } | 90 | format.html { redirect_to [:admin, @admin_user], notice: 'User was successfully updated.' } |
91 | format.json { head :ok } | 91 | format.json { head :ok } |
92 | else | 92 | else |
app/models/user.rb
@@ -6,8 +6,9 @@ class User < ActiveRecord::Base | @@ -6,8 +6,9 @@ class User < ActiveRecord::Base | ||
6 | :recoverable, :rememberable, :trackable, :validatable, :omniauthable | 6 | :recoverable, :rememberable, :trackable, :validatable, :omniauthable |
7 | 7 | ||
8 | attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, | 8 | attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, |
9 | - :name, :projects_limit, :skype, :linkedin, :twitter, :dark_scheme, | ||
10 | - :theme_id, :force_random_password, :extern_uid, :provider | 9 | + :name, :skype, :linkedin, :twitter, :dark_scheme, |
10 | + :theme_id, :force_random_password, :extern_uid, :provider, :as => [:default, :admin] | ||
11 | + attr_accessible :projects_limit, :as => :admin | ||
11 | 12 | ||
12 | attr_accessor :force_random_password | 13 | attr_accessor :force_random_password |
13 | 14 |
spec/models/user_spec.rb
@@ -73,4 +73,30 @@ describe User do | @@ -73,4 +73,30 @@ describe User do | ||
73 | user.authentication_token.should_not be_blank | 73 | user.authentication_token.should_not be_blank |
74 | end | 74 | end |
75 | end | 75 | end |
76 | + | ||
77 | + describe "attributes can be changed by a regular user" do | ||
78 | + before do | ||
79 | + @user = Factory :user | ||
80 | + @user.update_attributes(skype: "testskype", linkedin: "testlinkedin") | ||
81 | + end | ||
82 | + it { @user.skype.should == 'testskype' } | ||
83 | + it { @user.linkedin.should == 'testlinkedin' } | ||
84 | + end | ||
85 | + | ||
86 | + describe "attributes that shouldn't be changed by a regular user" do | ||
87 | + before do | ||
88 | + @user = Factory :user | ||
89 | + @user.update_attributes(projects_limit: 50) | ||
90 | + end | ||
91 | + it { @user.projects_limit.should_not == 50 } | ||
92 | + end | ||
93 | + | ||
94 | + describe "attributes can be changed by an admin user" do | ||
95 | + before do | ||
96 | + @admin_user = Factory :admin | ||
97 | + @admin_user.update_attributes({ skype: "testskype", projects_limit: 50 }, as: :admin) | ||
98 | + end | ||
99 | + it { @admin_user.skype.should == 'testskype' } | ||
100 | + it { @admin_user.projects_limit.should == 50 } | ||
101 | + end | ||
76 | end | 102 | end |