Commit c61020632147e0855cf229bce81aa080ca1e5992
1 parent
770ec335
Exists in
master
and in
4 other branches
fix mass-assignment error in user create API
Showing
2 changed files
with
6 additions
and
6 deletions
Show diff stats
lib/api/users.rb
| @@ -23,7 +23,7 @@ module Gitlab | @@ -23,7 +23,7 @@ module Gitlab | ||
| 23 | @user = User.find(params[:id]) | 23 | @user = User.find(params[:id]) |
| 24 | present @user, with: Entities::User | 24 | present @user, with: Entities::User |
| 25 | end | 25 | end |
| 26 | - | 26 | + |
| 27 | # Create user. Available only for admin | 27 | # Create user. Available only for admin |
| 28 | # | 28 | # |
| 29 | # Parameters: | 29 | # Parameters: |
| @@ -40,7 +40,7 @@ module Gitlab | @@ -40,7 +40,7 @@ module Gitlab | ||
| 40 | post do | 40 | post do |
| 41 | authenticated_as_admin! | 41 | authenticated_as_admin! |
| 42 | attrs = attributes_for_keys [:email, :name, :password, :password_confirmation, :skype, :linkedin, :twitter, :projects_limit] | 42 | attrs = attributes_for_keys [:email, :name, :password, :password_confirmation, :skype, :linkedin, :twitter, :projects_limit] |
| 43 | - user = User.new attrs | 43 | + user = User.new attrs, as: :admin |
| 44 | if user.save | 44 | if user.save |
| 45 | present user, with: Entities::User | 45 | present user, with: Entities::User |
| 46 | else | 46 | else |
spec/requests/api/users_spec.rb
| @@ -4,7 +4,7 @@ describe Gitlab::API do | @@ -4,7 +4,7 @@ describe Gitlab::API do | ||
| 4 | include ApiHelpers | 4 | include ApiHelpers |
| 5 | 5 | ||
| 6 | let(:user) { Factory :user } | 6 | let(:user) { Factory :user } |
| 7 | - let(:admin) {Factory :admin} | 7 | + let(:admin) { Factory :admin } |
| 8 | let(:key) { Factory :key, user: user } | 8 | let(:key) { Factory :key, user: user } |
| 9 | 9 | ||
| 10 | describe "GET /users" do | 10 | describe "GET /users" do |
| @@ -42,9 +42,9 @@ describe Gitlab::API do | @@ -42,9 +42,9 @@ describe Gitlab::API do | ||
| 42 | end | 42 | end |
| 43 | 43 | ||
| 44 | it "should create user" do | 44 | it "should create user" do |
| 45 | - expect{ | ||
| 46 | - post api("/users", admin), Factory.attributes(:user) | ||
| 47 | - }.to change{User.count}.by(1) | 45 | + expect { |
| 46 | + post api("/users", admin), Factory.attributes(:user, projects_limit: 3) | ||
| 47 | + }.to change { User.count }.by(1) | ||
| 48 | end | 48 | end |
| 49 | 49 | ||
| 50 | it "shouldn't available for non admin users" do | 50 | it "shouldn't available for non admin users" do |