mirror of
https://github.com/heartcombo/devise.git
synced 2022-11-09 12:18:31 -05:00
commit
e860ade718
3 changed files with 31 additions and 4 deletions
|
@ -4,7 +4,7 @@ class Devise::SessionsController < DeviseController
|
||||||
|
|
||||||
# GET /resource/sign_in
|
# GET /resource/sign_in
|
||||||
def new
|
def new
|
||||||
resource = build_resource
|
resource = build_resource(nil, :unsafe => true)
|
||||||
clean_up_passwords(resource)
|
clean_up_passwords(resource)
|
||||||
respond_with(resource, serialize_options(resource))
|
respond_with(resource, serialize_options(resource))
|
||||||
end
|
end
|
||||||
|
|
|
@ -67,10 +67,21 @@ MESSAGE
|
||||||
instance_variable_set(:"@#{resource_name}", new_resource)
|
instance_variable_set(:"@#{resource_name}", new_resource)
|
||||||
end
|
end
|
||||||
|
|
||||||
# Build a devise resource.
|
# Build a devise resource.
|
||||||
def build_resource(hash=nil)
|
# Assignment bypasses attribute protection when :unsafe option is passed
|
||||||
|
def build_resource(hash = nil, options = {})
|
||||||
hash ||= params[resource_name] || {}
|
hash ||= params[resource_name] || {}
|
||||||
self.resource = resource_class.new(hash)
|
|
||||||
|
if options[:unsafe]
|
||||||
|
self.resource = resource_class.new.tap do |resource|
|
||||||
|
hash.each do |key, value|
|
||||||
|
setter = :"#{key}="
|
||||||
|
resource.send(setter, value) if resource.respond_to?(setter)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
else
|
||||||
|
self.resource = resource_class.new(hash)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Helper for use in before_filters where no authentication is required.
|
# Helper for use in before_filters where no authentication is required.
|
||||||
|
|
|
@ -13,4 +13,20 @@ class SessionsControllerTest < ActionController::TestCase
|
||||||
assert_equal 200, @response.status
|
assert_equal 200, @response.status
|
||||||
assert_template "devise/sessions/new"
|
assert_template "devise/sessions/new"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "#new doesn't raise mass-assignment exception even if sign-in key is attr_protected" do
|
||||||
|
request.env["devise.mapping"] = Devise.mappings[:user]
|
||||||
|
|
||||||
|
ActiveRecord::Base.mass_assignment_sanitizer = :strict
|
||||||
|
User.class_eval { attr_protected :email }
|
||||||
|
|
||||||
|
begin
|
||||||
|
assert_nothing_raised ActiveModel::MassAssignmentSecurity::Error do
|
||||||
|
get :new, :user => { :email => "allez viens!" }
|
||||||
|
end
|
||||||
|
ensure
|
||||||
|
ActiveRecord::Base.mass_assignment_sanitizer = :logger
|
||||||
|
User.class_eval { attr_accessible :email }
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue