summaryrefslogtreecommitdiff
path: root/app/controllers/api
diff options
context:
space:
mode:
authorAzul <azul@riseup.net>2017-09-17 09:54:55 +0200
committerAzul <azul@riseup.net>2017-10-24 13:33:03 +0200
commit325bccc1649c928d512ce7c7b11e14566a8c9eeb (patch)
tree4a9adacadce129529bed44792e6a4de1dc158519 /app/controllers/api
parentfecd710de6c574ac8e2b0c45ad9e081badd59b61 (diff)
fix: sanity checks on user params
fixes #8801 Includes a test reproducing 500 on lynx We now make use of ActionController::Parameters require and permit methods.
Diffstat (limited to 'app/controllers/api')
-rw-r--r--app/controllers/api/users_controller.rb11
1 files changed, 10 insertions, 1 deletions
diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb
index 709e076..cb7b7bc 100644
--- a/app/controllers/api/users_controller.rb
+++ b/app/controllers/api/users_controller.rb
@@ -53,7 +53,7 @@ module Api
end
def update
- @user.account.update params[:user]
+ @user.account.update user_update_params
respond_with @user
end
@@ -67,6 +67,15 @@ module Api
private
+ def user_update_params
+ params.require(:user).permit :login,
+ :password_verifier,
+ :password_salt,
+ :recovery_code_verifier,
+ :recovery_code_salt,
+ :public_key
+ end
+
def release_handles
current_user.is_monitor? || params[:identities] == "destroy"
end