restrict user_params in user_controller

Actually this should live in a service_level_controller. For now fix the security issue.
author: Azul <azul@riseup.net> 2016-05-22 21:12:42 +0200
committer: Azul <azul@riseup.net> 2016-05-23 13:01:50 +0200
commit: 0ba0eb633e8c24086405c53f3d8a8e747f3382e4 (patch)
tree: 435b1ad9407f9be4061f351641a35947867dd6de /app/controllers
parent: fcc8207f84249612eba719b8aa77cd7c51e5ad5a (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 1404b0e..225584f 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -39,7 +39,7 @@ class UsersController < ApplicationController
 
   ## added so updating service level works, but not sure we will actually want this. also not sure that this is place to prevent user from updating own effective service level, but here as placeholder:
   def update
-    @user.update_attributes(params[:user]) unless (!admin? and params[:user][:effective_service_level])
+    @user.update_attributes(user_params)
     if @user.valid?
       flash[:notice] = I18n.t(:changes_saved)
     end
@@ -79,4 +79,11 @@ class UsersController < ApplicationController
     end
   end
 
+  def user_params
+    if admin?
+      params.require(:user).permit(:effective_service_level)
+    else
+      params.require(:user).permit(:password, :password_confirmation)
+    end
+  end
 end
author	Azul <azul@riseup.net>	2016-05-22 21:12:42 +0200
committer	Azul <azul@riseup.net>	2016-05-23 13:01:50 +0200
commit	0ba0eb633e8c24086405c53f3d8a8e747f3382e4 (patch)
tree	435b1ad9407f9be4061f351641a35947867dd6de /app/controllers
parent	fcc8207f84249612eba719b8aa77cd7c51e5ad5a (diff)