Do not allow to mass assign OTP fields on user edit page

2022-04-27 19:48:42 +02:00 · 2022-04-27 19:48:42 +02:00 · 43ee2dbb50
commit 43ee2dbb50
parent 1cfe0037f9
3 changed files with 29 additions and 16 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -140,8 +140,6 @@ class UsersController < ApplicationController
      :auto_follow_back_aspect_id,
      :getting_started,
      :post_default_public,
-      :otp_required_for_login,
-      :otp_secret,
      email_preferences: UserPreference::VALID_EMAIL_TYPES.map(&:to_sym)
    )
  end
--- a/app/views/two_factor_authentications/_activate.haml
+++ b/app/views/two_factor_authentications/_activate.haml
@ -6,6 +6,5 @@

      .well= t("two_factor_auth.deactivated.status")
      = form_for "user", url: two_factor_authentication_path, html: {method: :post} do |f|
-        = f.hidden_field :otp_required_for_login, value: true
        .clearfix.form-group= f.submit t("two_factor_auth.deactivated.change_button"),
        class: "btn btn-primary pull-right"
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@ -110,21 +110,20 @@ describe UsersController, :type => :controller do
    end
  end

-  describe '#update' do
-    before do
-      @params  = { :id => @user.id,
-                  :user => { :diaspora_handle => "notreal@stuff.com" } }
-    end
+  describe "#update" do
+    context "with random params" do
+      let(:params) { {id: @user.id, user: {diaspora_handle: "notreal@stuff.com"}} }

-    it "doesn't overwrite random attributes" do
-      expect {
-        put :update, params: @params
-      }.not_to change(@user, :diaspora_handle)
-    end
+      it "doesn't overwrite random attributes" do
+        expect {
+          put :update, params: params
+        }.not_to change(@user, :diaspora_handle)
+      end

-    it 'renders the user edit page' do
-      put :update, params: @params
-      expect(response).to render_template('edit')
+      it "renders the user edit page" do
+        put :update, params: params
+        expect(response).to render_template('edit')
+      end
    end

    describe "password updates" do
@ -158,6 +157,23 @@ describe UsersController, :type => :controller do
      end
    end

+    context "with otp params" do
+      let(:otp_params) { {otp_required_for_login: false, otp_secret: "mykey"} }
+      let(:params) { {id: @user.id, user: otp_params} }
+
+      before do
+        allow(@controller).to receive(:current_user).and_return(@user)
+        allow(@user).to receive(:update_attributes)
+      end
+
+      it "does not accept the params" do
+        put :update, params: params
+
+        expect(@user).not_to have_received(:update_attributes)
+          .with(hash_including(:otp_required_for_login, :otp_secret))
+      end
+    end
+
    describe 'language' do
      it "allows the user to change their language" do
        old_language = 'en'