Merge pull request #2452 from latortuga/bad-strong-params-on-failed-login
Add failing test case for bad parameter sanitizing when failing to login
This commit is contained in:
commit
bc598b9da3
|
@ -40,8 +40,12 @@ module Devise
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# These are the params used to sign in a user so we don't need to
|
||||||
|
# mass-assign the password param in order to authenticate. Excluding it
|
||||||
|
# here allows us to construct a new user without sensitive information if
|
||||||
|
# authentication fails.
|
||||||
def sign_in
|
def sign_in
|
||||||
default_params.permit(*auth_keys)
|
default_params.permit(*auth_keys + [:password])
|
||||||
end
|
end
|
||||||
|
|
||||||
def sign_up
|
def sign_up
|
||||||
|
@ -53,7 +57,7 @@ module Devise
|
||||||
end
|
end
|
||||||
|
|
||||||
def auth_keys
|
def auth_keys
|
||||||
resource_class.authentication_keys
|
resource_class.authentication_keys.respond_to?(:keys) ? resource_class.authentication_keys.keys : resource_class.authentication_keys
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -4,6 +4,20 @@ class SessionsControllerTest < ActionController::TestCase
|
||||||
tests Devise::SessionsController
|
tests Devise::SessionsController
|
||||||
include Devise::TestHelpers
|
include Devise::TestHelpers
|
||||||
|
|
||||||
|
test "#create doesn't raise unpermitted params when sign in fails" do
|
||||||
|
ActiveSupport::Notifications.subscribe /unpermitted_parameters/ do |name, start, finish, id, payload|
|
||||||
|
flunk "Unpermitted params: #{payload}"
|
||||||
|
end
|
||||||
|
request.env["devise.mapping"] = Devise.mappings[:user]
|
||||||
|
request.session["user_return_to"] = 'foo.bar'
|
||||||
|
user = create_user
|
||||||
|
post :create, :user => {
|
||||||
|
:email => "wrong@email.com",
|
||||||
|
:password => "wrongpassword"
|
||||||
|
}
|
||||||
|
assert_equal 200, @response.status
|
||||||
|
end
|
||||||
|
|
||||||
test "#create works even with scoped views" do
|
test "#create works even with scoped views" do
|
||||||
swap Devise, :scoped_views => true do
|
swap Devise, :scoped_views => true do
|
||||||
request.env["devise.mapping"] = Devise.mappings[:user]
|
request.env["devise.mapping"] = Devise.mappings[:user]
|
||||||
|
|
|
@ -22,7 +22,14 @@ if defined?(ActionController::StrongParameters)
|
||||||
|
|
||||||
test 'filters some parameters on sign in by default' do
|
test 'filters some parameters on sign in by default' do
|
||||||
sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
|
sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
|
||||||
assert_equal({ "email" => "jose" }, sanitizer.for(:sign_in))
|
assert_equal({ "email" => "jose", "password" => "invalid" }, sanitizer.for(:sign_in))
|
||||||
|
end
|
||||||
|
|
||||||
|
test 'handles auth keys as a hash' do
|
||||||
|
swap Devise, :authentication_keys => {:email => true} do
|
||||||
|
sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
|
||||||
|
assert_equal({ "email" => "jose", "password" => "invalid" }, sanitizer.for(:sign_in))
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
test 'filters some parameters on sign up by default' do
|
test 'filters some parameters on sign up by default' do
|
||||||
|
|
Loading…
Reference in New Issue