diff options
author | Azul <azul@riseup.net> | 2017-09-17 09:54:55 +0200 |
---|---|---|
committer | Azul <azul@riseup.net> | 2017-10-24 13:33:03 +0200 |
commit | 325bccc1649c928d512ce7c7b11e14566a8c9eeb (patch) | |
tree | 4a9adacadce129529bed44792e6a4de1dc158519 /test/integration | |
parent | fecd710de6c574ac8e2b0c45ad9e081badd59b61 (diff) |
fix: sanity checks on user params
fixes #8801
Includes a test reproducing 500 on lynx
We now make use of ActionController::Parameters require and permit
methods.
Diffstat (limited to 'test/integration')
-rw-r--r-- | test/integration/api/srp_test.rb | 2 | ||||
-rw-r--r-- | test/integration/api/update_account_test.rb | 8 |
2 files changed, 9 insertions, 1 deletions
diff --git a/test/integration/api/srp_test.rb b/test/integration/api/srp_test.rb index b9605f9..ef5d9b8 100644 --- a/test/integration/api/srp_test.rb +++ b/test/integration/api/srp_test.rb @@ -46,7 +46,7 @@ class SrpTest < RackTest @password = password end - def update_user(params) + def update_user(params = {}) put api_url("users/#{@user.id}.json"), user_params(params), auth_headers diff --git a/test/integration/api/update_account_test.rb b/test/integration/api/update_account_test.rb index f083dbc..dd28b06 100644 --- a/test/integration/api/update_account_test.rb +++ b/test/integration/api/update_account_test.rb @@ -19,6 +19,14 @@ class UpdateAccountTest < SrpTest assert_login_required end + test "empty request" do + authenticate + update_user + refute last_response.successful? + assert_equal 400, last_response.status + assert_equal '', last_response.body + end + test "update password via api" do authenticate update_user password: "No! Verify me instead." |