Merge branch '8801-500-on-lynx' into 'master'

fix: sanity checks on user params Closes #8801 See merge request leap/webapp!50
author: azul <azul@riseup.net> 2017-10-24 11:40:46 +0000
committer: azul <azul@riseup.net> 2017-10-24 11:40:46 +0000
commit: d717aba320abc5cc2ebf5650cbd52a69a56926b5 (patch)
tree: 4a9adacadce129529bed44792e6a4de1dc158519 /app/controllers/api/users_controller.rb
parent: fecd710de6c574ac8e2b0c45ad9e081badd59b61 (diff)
parent: 325bccc1649c928d512ce7c7b11e14566a8c9eeb (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb
index 709e076..cb7b7bc 100644
--- a/app/controllers/api/users_controller.rb
+++ b/app/controllers/api/users_controller.rb
@@ -53,7 +53,7 @@ module Api
     end
 
     def update
-      @user.account.update params[:user]
+      @user.account.update user_update_params
       respond_with @user
     end
 
@@ -67,6 +67,15 @@ module Api
 
     private
 
+    def user_update_params
+      params.require(:user).permit :login,
+        :password_verifier,
+        :password_salt,
+        :recovery_code_verifier,
+        :recovery_code_salt,
+        :public_key
+    end
+
     def release_handles
       current_user.is_monitor? || params[:identities] == "destroy"
     end
author	azul <azul@riseup.net>	2017-10-24 11:40:46 +0000
committer	azul <azul@riseup.net>	2017-10-24 11:40:46 +0000
commit	d717aba320abc5cc2ebf5650cbd52a69a56926b5 (patch)
tree	4a9adacadce129529bed44792e6a4de1dc158519 /app/controllers/api/users_controller.rb
parent	fecd710de6c574ac8e2b0c45ad9e081badd59b61 (diff)
parent	325bccc1649c928d512ce7c7b11e14566a8c9eeb (diff)