From afd5697f17a90654b6c058611896e3542a601ef5 Mon Sep 17 00:00:00 2001
From: jessib <jessib@leap.se>
Date: Tue, 29 Jan 2013 12:09:38 -0800
Subject: A user's public_key is the only attribute they should be able to
 update via API.

---
 users/app/controllers/v1/users_controller.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'users/app/controllers/v1/users_controller.rb')

diff --git a/users/app/controllers/v1/users_controller.rb b/users/app/controllers/v1/users_controller.rb
index e8e8f00..9b5997d 100644
--- a/users/app/controllers/v1/users_controller.rb
+++ b/users/app/controllers/v1/users_controller.rb
@@ -12,8 +12,9 @@ module V1
     end
 
     def update
+      # For now, only allow public key to be updated via the API. Eventually we might want to store in a config what attributes can be updated via the API.
       @user = User.find_by_param(params[:id])
-      @user.update_attributes(params[:user])
+      @user.update_attributes(:public_key => params[:user][:public_key])
       respond_with @user
     end
 
-- 
cgit v1.2.3