From 325bccc1649c928d512ce7c7b11e14566a8c9eeb Mon Sep 17 00:00:00 2001 From: Azul Date: Sun, 17 Sep 2017 09:54:55 +0200 Subject: fix: sanity checks on user params fixes #8801 Includes a test reproducing 500 on lynx We now make use of ActionController::Parameters require and permit methods. --- app/controllers/api/users_controller.rb | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'app/controllers/api/users_controller.rb') diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb index 709e076..cb7b7bc 100644 --- a/app/controllers/api/users_controller.rb +++ b/app/controllers/api/users_controller.rb @@ -53,7 +53,7 @@ module Api end def update - @user.account.update params[:user] + @user.account.update user_update_params respond_with @user end @@ -67,6 +67,15 @@ module Api private + def user_update_params + params.require(:user).permit :login, + :password_verifier, + :password_salt, + :recovery_code_verifier, + :recovery_code_salt, + :public_key + end + def release_handles current_user.is_monitor? || params[:identities] == "destroy" end -- cgit v1.2.3