fix: sanity checks on user params

fixes #8801 Includes a test reproducing 500 on lynx We now make use of ActionController::Parameters require and permit methods.
author: Azul <azul@riseup.net> 2017-09-17 09:54:55 +0200
committer: Azul <azul@riseup.net> 2017-10-24 13:33:03 +0200
commit: 325bccc1649c928d512ce7c7b11e14566a8c9eeb (patch)
tree: 4a9adacadce129529bed44792e6a4de1dc158519 /app/controllers/api/users_controller.rb
parent: fecd710de6c574ac8e2b0c45ad9e081badd59b61 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb
index 709e076..cb7b7bc 100644
--- a/app/controllers/api/users_controller.rb
+++ b/app/controllers/api/users_controller.rb
@@ -53,7 +53,7 @@ module Api
     end
 
     def update
-      @user.account.update params[:user]
+      @user.account.update user_update_params
       respond_with @user
     end
 
@@ -67,6 +67,15 @@ module Api
 
     private
 
+    def user_update_params
+      params.require(:user).permit :login,
+        :password_verifier,
+        :password_salt,
+        :recovery_code_verifier,
+        :recovery_code_salt,
+        :public_key
+    end
+
     def release_handles
       current_user.is_monitor? || params[:identities] == "destroy"
     end
author	Azul <azul@riseup.net>	2017-09-17 09:54:55 +0200
committer	Azul <azul@riseup.net>	2017-10-24 13:33:03 +0200
commit	325bccc1649c928d512ce7c7b11e14566a8c9eeb (patch)
tree	4a9adacadce129529bed44792e6a4de1dc158519 /app/controllers/api/users_controller.rb
parent	fecd710de6c574ac8e2b0c45ad9e081badd59b61 (diff)