Commit 5928388b1c5b41cf11471391b3ec6226167132fd

Authored by Marin Jankovski
1 parent 8ec95642

Protect users projects_limit from mass assignment.

app/controllers/admin/users_controller.rb
@@ -30,7 +30,7 @@ class Admin::UsersController < AdminController @@ -30,7 +30,7 @@ class Admin::UsersController < AdminController
30 30
31 31
32 def new 32 def new
33 - @admin_user = User.new(projects_limit: Gitlab.config.default_projects_limit) 33 + @admin_user = User.new({ projects_limit: Gitlab.config.default_projects_limit }, as: :admin)
34 end 34 end
35 35
36 def edit 36 def edit
@@ -60,7 +60,7 @@ class Admin::UsersController < AdminController @@ -60,7 +60,7 @@ class Admin::UsersController < AdminController
60 def create 60 def create
61 admin = params[:user].delete("admin") 61 admin = params[:user].delete("admin")
62 62
63 - @admin_user = User.new(params[:user]) 63 + @admin_user = User.new(params[:user], as: :admin)
64 @admin_user.admin = (admin && admin.to_i > 0) 64 @admin_user.admin = (admin && admin.to_i > 0)
65 65
66 respond_to do |format| 66 respond_to do |format|
@@ -86,7 +86,7 @@ class Admin::UsersController < AdminController @@ -86,7 +86,7 @@ class Admin::UsersController < AdminController
86 @admin_user.admin = (admin && admin.to_i > 0) 86 @admin_user.admin = (admin && admin.to_i > 0)
87 87
88 respond_to do |format| 88 respond_to do |format|
89 - if @admin_user.update_attributes(params[:user]) 89 + if @admin_user.update_attributes(params[:user], as: :admin)
90 format.html { redirect_to [:admin, @admin_user], notice: 'User was successfully updated.' } 90 format.html { redirect_to [:admin, @admin_user], notice: 'User was successfully updated.' }
91 format.json { head :ok } 91 format.json { head :ok }
92 else 92 else
app/models/user.rb
@@ -6,8 +6,9 @@ class User < ActiveRecord::Base @@ -6,8 +6,9 @@ class User < ActiveRecord::Base
6 :recoverable, :rememberable, :trackable, :validatable, :omniauthable 6 :recoverable, :rememberable, :trackable, :validatable, :omniauthable
7 7
8 attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, 8 attr_accessible :email, :password, :password_confirmation, :remember_me, :bio,
9 - :name, :projects_limit, :skype, :linkedin, :twitter, :dark_scheme,  
10 - :theme_id, :force_random_password, :extern_uid, :provider 9 + :name, :skype, :linkedin, :twitter, :dark_scheme,
  10 + :theme_id, :force_random_password, :extern_uid, :provider, :as => [:default, :admin]
  11 + attr_accessible :projects_limit, :as => :admin
11 12
12 attr_accessor :force_random_password 13 attr_accessor :force_random_password
13 14
spec/models/user_spec.rb
@@ -73,4 +73,30 @@ describe User do @@ -73,4 +73,30 @@ describe User do
73 user.authentication_token.should_not be_blank 73 user.authentication_token.should_not be_blank
74 end 74 end
75 end 75 end
  76 +
  77 + describe "attributes can be changed by a regular user" do
  78 + before do
  79 + @user = Factory :user
  80 + @user.update_attributes(skype: "testskype", linkedin: "testlinkedin")
  81 + end
  82 + it { @user.skype.should == 'testskype' }
  83 + it { @user.linkedin.should == 'testlinkedin' }
  84 + end
  85 +
  86 + describe "attributes that shouldn't be changed by a regular user" do
  87 + before do
  88 + @user = Factory :user
  89 + @user.update_attributes(projects_limit: 50)
  90 + end
  91 + it { @user.projects_limit.should_not == 50 }
  92 + end
  93 +
  94 + describe "attributes can be changed by an admin user" do
  95 + before do
  96 + @admin_user = Factory :admin
  97 + @admin_user.update_attributes({ skype: "testskype", projects_limit: 50 }, as: :admin)
  98 + end
  99 + it { @admin_user.skype.should == 'testskype' }
  100 + it { @admin_user.projects_limit.should == 50 }
  101 + end
76 end 102 end