diff options
author | Azul <azul@riseup.net> | 2016-05-22 21:12:42 +0200 |
---|---|---|
committer | Azul <azul@riseup.net> | 2016-05-23 13:01:50 +0200 |
commit | 0ba0eb633e8c24086405c53f3d8a8e747f3382e4 (patch) | |
tree | 435b1ad9407f9be4061f351641a35947867dd6de | |
parent | fcc8207f84249612eba719b8aa77cd7c51e5ad5a (diff) |
restrict user_params in user_controller
Actually this should live in a service_level_controller.
For now fix the security issue.
-rw-r--r-- | app/controllers/users_controller.rb | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 1404b0e..225584f 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -39,7 +39,7 @@ class UsersController < ApplicationController ## added so updating service level works, but not sure we will actually want this. also not sure that this is place to prevent user from updating own effective service level, but here as placeholder: def update - @user.update_attributes(params[:user]) unless (!admin? and params[:user][:effective_service_level]) + @user.update_attributes(user_params) if @user.valid? flash[:notice] = I18n.t(:changes_saved) end @@ -79,4 +79,11 @@ class UsersController < ApplicationController end end + def user_params + if admin? + params.require(:user).permit(:effective_service_level) + else + params.require(:user).permit(:password, :password_confirmation) + end + end end |