Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
iv
gitlab-ce
Commits
5928388b
Commit
5928388b
authored
Sep 26, 2012
by
Marin Jankovski
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Protect users projects_limit from mass assignment.
parent
8ec95642
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
32 additions
and
5 deletions
+32
-5
app/controllers/admin/users_controller.rb
app/controllers/admin/users_controller.rb
+3
-3
app/models/user.rb
app/models/user.rb
+3
-2
spec/models/user_spec.rb
spec/models/user_spec.rb
+26
-0
No files found.
app/controllers/admin/users_controller.rb
View file @
5928388b
...
@@ -30,7 +30,7 @@ class Admin::UsersController < AdminController
...
@@ -30,7 +30,7 @@ class Admin::UsersController < AdminController
def
new
def
new
@admin_user
=
User
.
new
(
projects_limit:
Gitlab
.
config
.
default_projects_limit
)
@admin_user
=
User
.
new
(
{
projects_limit:
Gitlab
.
config
.
default_projects_limit
},
as: :admin
)
end
end
def
edit
def
edit
...
@@ -60,7 +60,7 @@ class Admin::UsersController < AdminController
...
@@ -60,7 +60,7 @@ class Admin::UsersController < AdminController
def
create
def
create
admin
=
params
[
:user
].
delete
(
"admin"
)
admin
=
params
[
:user
].
delete
(
"admin"
)
@admin_user
=
User
.
new
(
params
[
:user
])
@admin_user
=
User
.
new
(
params
[
:user
]
,
as: :admin
)
@admin_user
.
admin
=
(
admin
&&
admin
.
to_i
>
0
)
@admin_user
.
admin
=
(
admin
&&
admin
.
to_i
>
0
)
respond_to
do
|
format
|
respond_to
do
|
format
|
...
@@ -86,7 +86,7 @@ class Admin::UsersController < AdminController
...
@@ -86,7 +86,7 @@ class Admin::UsersController < AdminController
@admin_user
.
admin
=
(
admin
&&
admin
.
to_i
>
0
)
@admin_user
.
admin
=
(
admin
&&
admin
.
to_i
>
0
)
respond_to
do
|
format
|
respond_to
do
|
format
|
if
@admin_user
.
update_attributes
(
params
[
:user
])
if
@admin_user
.
update_attributes
(
params
[
:user
]
,
as: :admin
)
format
.
html
{
redirect_to
[
:admin
,
@admin_user
],
notice:
'User was successfully updated.'
}
format
.
html
{
redirect_to
[
:admin
,
@admin_user
],
notice:
'User was successfully updated.'
}
format
.
json
{
head
:ok
}
format
.
json
{
head
:ok
}
else
else
...
...
app/models/user.rb
View file @
5928388b
...
@@ -6,8 +6,9 @@ class User < ActiveRecord::Base
...
@@ -6,8 +6,9 @@ class User < ActiveRecord::Base
:recoverable
,
:rememberable
,
:trackable
,
:validatable
,
:omniauthable
:recoverable
,
:rememberable
,
:trackable
,
:validatable
,
:omniauthable
attr_accessible
:email
,
:password
,
:password_confirmation
,
:remember_me
,
:bio
,
attr_accessible
:email
,
:password
,
:password_confirmation
,
:remember_me
,
:bio
,
:name
,
:projects_limit
,
:skype
,
:linkedin
,
:twitter
,
:dark_scheme
,
:name
,
:skype
,
:linkedin
,
:twitter
,
:dark_scheme
,
:theme_id
,
:force_random_password
,
:extern_uid
,
:provider
:theme_id
,
:force_random_password
,
:extern_uid
,
:provider
,
:as
=>
[
:default
,
:admin
]
attr_accessible
:projects_limit
,
:as
=>
:admin
attr_accessor
:force_random_password
attr_accessor
:force_random_password
...
...
spec/models/user_spec.rb
View file @
5928388b
...
@@ -73,4 +73,30 @@ describe User do
...
@@ -73,4 +73,30 @@ describe User do
user
.
authentication_token
.
should_not
be_blank
user
.
authentication_token
.
should_not
be_blank
end
end
end
end
describe
"attributes can be changed by a regular user"
do
before
do
@user
=
Factory
:user
@user
.
update_attributes
(
skype:
"testskype"
,
linkedin:
"testlinkedin"
)
end
it
{
@user
.
skype
.
should
==
'testskype'
}
it
{
@user
.
linkedin
.
should
==
'testlinkedin'
}
end
describe
"attributes that shouldn't be changed by a regular user"
do
before
do
@user
=
Factory
:user
@user
.
update_attributes
(
projects_limit:
50
)
end
it
{
@user
.
projects_limit
.
should_not
==
50
}
end
describe
"attributes can be changed by an admin user"
do
before
do
@admin_user
=
Factory
:admin
@admin_user
.
update_attributes
({
skype:
"testskype"
,
projects_limit:
50
},
as: :admin
)
end
it
{
@admin_user
.
skype
.
should
==
'testskype'
}
it
{
@admin_user
.
projects_limit
.
should
==
50
}
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment