From 0ba0eb633e8c24086405c53f3d8a8e747f3382e4 Mon Sep 17 00:00:00 2001 From: Azul Date: Sun, 22 May 2016 21:12:42 +0200 Subject: restrict user_params in user_controller Actually this should live in a service_level_controller. For now fix the security issue. --- app/controllers/users_controller.rb | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'app/controllers/users_controller.rb') diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 1404b0e..225584f 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -39,7 +39,7 @@ class UsersController < ApplicationController ## added so updating service level works, but not sure we will actually want this. also not sure that this is place to prevent user from updating own effective service level, but here as placeholder: def update - @user.update_attributes(params[:user]) unless (!admin? and params[:user][:effective_service_level]) + @user.update_attributes(user_params) if @user.valid? flash[:notice] = I18n.t(:changes_saved) end @@ -79,4 +79,11 @@ class UsersController < ApplicationController end end + def user_params + if admin? + params.require(:user).permit(:effective_service_level) + else + params.require(:user).permit(:password, :password_confirmation) + end + end end -- cgit v1.2.3 From 7f0c42a5fa6d6c1952e53b9b73bad0202f746f3e Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 23 May 2016 11:59:41 +0200 Subject: cleanup: remove service level code from users_controller There's no route to this right now and it also seems to be tested nowhere. Since i am about to split up the users_controller let's get rid of this and put it in the place we want it once we actually finish the implementation --- app/controllers/users_controller.rb | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) (limited to 'app/controllers/users_controller.rb') diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 225584f..2816a64 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -8,7 +8,7 @@ class UsersController < ApplicationController before_filter :require_login, :except => [:new] before_filter :redirect_if_logged_in, :only => [:new] before_filter :require_admin, :only => [:index, :deactivate, :enable] - before_filter :fetch_user, :only => [:show, :edit, :update, :destroy, :deactivate, :enable] + before_filter :fetch_user, :only => [:show, :edit, :destroy, :deactivate, :enable] before_filter :require_registration_allowed, only: :new respond_to :html @@ -37,15 +37,6 @@ class UsersController < ApplicationController def edit end - ## added so updating service level works, but not sure we will actually want this. also not sure that this is place to prevent user from updating own effective service level, but here as placeholder: - def update - @user.update_attributes(user_params) - if @user.valid? - flash[:notice] = I18n.t(:changes_saved) - end - respond_with @user, :location => edit_user_path(@user) - end - def deactivate @user.account.disable flash[:notice] = I18n.t("actions.user_disabled_message", username: @user.username) -- cgit v1.2.3 From f47fc9d6522886cf81cfea26ec1f396219c539ba Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 23 May 2016 12:17:31 +0200 Subject: move signup from users to account_controller There was a lot of special case handling going on in the users_controller for this. Lot simpler this way. --- app/controllers/users_controller.rb | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) (limited to 'app/controllers/users_controller.rb') diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 2816a64..4d198b9 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -5,11 +5,9 @@ class UsersController < ApplicationController include ControllerExtension::FetchUser - before_filter :require_login, :except => [:new] - before_filter :redirect_if_logged_in, :only => [:new] + before_filter :require_login before_filter :require_admin, :only => [:index, :deactivate, :enable] before_filter :fetch_user, :only => [:show, :edit, :destroy, :deactivate, :enable] - before_filter :require_registration_allowed, only: :new respond_to :html @@ -27,10 +25,6 @@ class UsersController < ApplicationController @users = @users.limit(100) end - def new - @user = User.new - end - def show end @@ -64,12 +58,6 @@ class UsersController < ApplicationController protected - def require_registration_allowed - unless APP_CONFIG[:allow_registration] - redirect_to home_path - end - end - def user_params if admin? params.require(:user).permit(:effective_service_level) -- cgit v1.2.3