Do not allow to mass assign OTP fields on user edit page
This commit is contained in:
Jonne Haß
parent
1cfe0037f9
commit
43ee2dbb50
3 changed files with 29 additions and 16 deletions
|
|
@ -140,8 +140,6 @@ class UsersController < ApplicationController
|
||||||
:auto_follow_back_aspect_id,
|
:auto_follow_back_aspect_id,
|
||||||
:getting_started,
|
:getting_started,
|
||||||
:post_default_public,
|
:post_default_public,
|
||||||
:otp_required_for_login,
|
|
||||||
:otp_secret,
|
|
||||||
email_preferences: UserPreference::VALID_EMAIL_TYPES.map(&:to_sym)
|
email_preferences: UserPreference::VALID_EMAIL_TYPES.map(&:to_sym)
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,5 @@
|
||||||
|
|
||||||
.well= t("two_factor_auth.deactivated.status")
|
.well= t("two_factor_auth.deactivated.status")
|
||||||
= form_for "user", url: two_factor_authentication_path, html: {method: :post} do |f|
|
= form_for "user", url: two_factor_authentication_path, html: {method: :post} do |f|
|
||||||
= f.hidden_field :otp_required_for_login, value: true
|
|
||||||
.clearfix.form-group= f.submit t("two_factor_auth.deactivated.change_button"),
|
.clearfix.form-group= f.submit t("two_factor_auth.deactivated.change_button"),
|
||||||
class: "btn btn-primary pull-right"
|
class: "btn btn-primary pull-right"
|
||||||
|
|
|
||||||
|
|
@ -110,22 +110,21 @@ describe UsersController, :type => :controller do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe '#update' do
|
describe "#update" do
|
||||||
before do
|
context "with random params" do
|
||||||
@params = { :id => @user.id,
|
let(:params) { {id: @user.id, user: {diaspora_handle: "notreal@stuff.com"}} }
|
||||||
:user => { :diaspora_handle => "notreal@stuff.com" } }
|
|
||||||
end
|
|
||||||
|
|
||||||
it "doesn't overwrite random attributes" do
|
it "doesn't overwrite random attributes" do
|
||||||
expect {
|
expect {
|
||||||
put :update, params: @params
|
put :update, params: params
|
||||||
}.not_to change(@user, :diaspora_handle)
|
}.not_to change(@user, :diaspora_handle)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'renders the user edit page' do
|
it "renders the user edit page" do
|
||||||
put :update, params: @params
|
put :update, params: params
|
||||||
expect(response).to render_template('edit')
|
expect(response).to render_template('edit')
|
||||||
end
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe "password updates" do
|
describe "password updates" do
|
||||||
let(:password_params) do
|
let(:password_params) do
|
||||||
|
|
@ -158,6 +157,23 @@ describe UsersController, :type => :controller do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context "with otp params" do
|
||||||
|
let(:otp_params) { {otp_required_for_login: false, otp_secret: "mykey"} }
|
||||||
|
let(:params) { {id: @user.id, user: otp_params} }
|
||||||
|
|
||||||
|
before do
|
||||||
|
allow(@controller).to receive(:current_user).and_return(@user)
|
||||||
|
allow(@user).to receive(:update_attributes)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "does not accept the params" do
|
||||||
|
put :update, params: params
|
||||||
|
|
||||||
|
expect(@user).not_to have_received(:update_attributes)
|
||||||
|
.with(hash_including(:otp_required_for_login, :otp_secret))
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe 'language' do
|
describe 'language' do
|
||||||
it "allows the user to change their language" do
|
it "allows the user to change their language" do
|
||||||
old_language = 'en'
|
old_language = 'en'
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue