Merge pull request #1561 from dosire/mass_assignment

Protect users projects_limit from mass assignment.
This commit is contained in:
Dmitriy Zaporozhets 2012-09-26 05:45:16 -07:00
commit 3c132f2e68
3 changed files with 32 additions and 5 deletions

View file

@ -30,7 +30,7 @@ class Admin::UsersController < AdminController
def new def new
@admin_user = User.new(projects_limit: Gitlab.config.default_projects_limit) @admin_user = User.new({ projects_limit: Gitlab.config.default_projects_limit }, as: :admin)
end end
def edit def edit
@ -60,7 +60,7 @@ class Admin::UsersController < AdminController
def create def create
admin = params[:user].delete("admin") admin = params[:user].delete("admin")
@admin_user = User.new(params[:user]) @admin_user = User.new(params[:user], as: :admin)
@admin_user.admin = (admin && admin.to_i > 0) @admin_user.admin = (admin && admin.to_i > 0)
respond_to do |format| respond_to do |format|
@ -86,7 +86,7 @@ class Admin::UsersController < AdminController
@admin_user.admin = (admin && admin.to_i > 0) @admin_user.admin = (admin && admin.to_i > 0)
respond_to do |format| respond_to do |format|
if @admin_user.update_attributes(params[:user]) if @admin_user.update_attributes(params[:user], as: :admin)
format.html { redirect_to [:admin, @admin_user], notice: 'User was successfully updated.' } format.html { redirect_to [:admin, @admin_user], notice: 'User was successfully updated.' }
format.json { head :ok } format.json { head :ok }
else else

View file

@ -6,8 +6,9 @@ class User < ActiveRecord::Base
:recoverable, :rememberable, :trackable, :validatable, :omniauthable :recoverable, :rememberable, :trackable, :validatable, :omniauthable
attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, attr_accessible :email, :password, :password_confirmation, :remember_me, :bio,
:name, :projects_limit, :skype, :linkedin, :twitter, :dark_scheme, :name, :skype, :linkedin, :twitter, :dark_scheme,
:theme_id, :force_random_password, :extern_uid, :provider :theme_id, :force_random_password, :extern_uid, :provider, :as => [:default, :admin]
attr_accessible :projects_limit, :as => :admin
attr_accessor :force_random_password attr_accessor :force_random_password

View file

@ -73,4 +73,30 @@ describe User do
user.authentication_token.should_not be_blank user.authentication_token.should_not be_blank
end end
end end
describe "attributes can be changed by a regular user" do
before do
@user = Factory :user
@user.update_attributes(skype: "testskype", linkedin: "testlinkedin")
end
it { @user.skype.should == 'testskype' }
it { @user.linkedin.should == 'testlinkedin' }
end
describe "attributes that shouldn't be changed by a regular user" do
before do
@user = Factory :user
@user.update_attributes(projects_limit: 50)
end
it { @user.projects_limit.should_not == 50 }
end
describe "attributes can be changed by an admin user" do
before do
@admin_user = Factory :admin
@admin_user.update_attributes({ skype: "testskype", projects_limit: 50 }, as: :admin)
end
it { @admin_user.skype.should == 'testskype' }
it { @admin_user.projects_limit.should == 50 }
end
end end