summaryrefslogtreecommitdiff
path: root/users
diff options
context:
space:
mode:
authorjessib <jessib@leap.se>2013-01-29 12:09:38 -0800
committerjessib <jessib@leap.se>2013-01-29 12:09:38 -0800
commitafd5697f17a90654b6c058611896e3542a601ef5 (patch)
treef4382bae154b2d7c1f9538473a71f235b5c69ef8 /users
parent90b64fdffdc33f0204af6ac2e315bd4be6bc200a (diff)
A user's public_key is the only attribute they should be able to update via API.
Diffstat (limited to 'users')
-rw-r--r--users/app/controllers/v1/users_controller.rb3
-rw-r--r--users/test/integration/api/account_flow_test.rb10
2 files changed, 11 insertions, 2 deletions
diff --git a/users/app/controllers/v1/users_controller.rb b/users/app/controllers/v1/users_controller.rb
index e8e8f00..9b5997d 100644
--- a/users/app/controllers/v1/users_controller.rb
+++ b/users/app/controllers/v1/users_controller.rb
@@ -12,8 +12,9 @@ module V1
end
def update
+ # For now, only allow public key to be updated via the API. Eventually we might want to store in a config what attributes can be updated via the API.
@user = User.find_by_param(params[:id])
- @user.update_attributes(params[:user])
+ @user.update_attributes(:public_key => params[:user][:public_key])
respond_with @user
end
diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb
index b763be5..653f7d9 100644
--- a/users/test/integration/api/account_flow_test.rb
+++ b/users/test/integration/api/account_flow_test.rb
@@ -96,7 +96,15 @@ class AccountFlowTest < ActiveSupport::TestCase
test_public_key = 'asdlfkjslfdkjasd'
put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => test_public_key}, :format => :json
@user.reload
- assert_equal @user.public_key, test_public_key
+ assert_equal test_public_key, @user.public_key
+ end
+
+ test "cannot update login via api" do
+ server_auth = @srp.authenticate(self)
+ original_login = @user.login
+ put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:login => 'failed_login_name'}, :format => :json
+ @user.reload
+ assert_equal original_login, @user.login
end
end