Remove password and password_confirmation from whitelisted params in ProfilesController to prevent password from being changed without previous password being provided
This commit is contained in:
parent
7603beffc9
commit
8417f74f23
|
@ -93,8 +93,6 @@ class ProfilesController < Profiles::ApplicationController
|
||||||
:linkedin,
|
:linkedin,
|
||||||
:location,
|
:location,
|
||||||
:name,
|
:name,
|
||||||
:password,
|
|
||||||
:password_confirmation,
|
|
||||||
:public_email,
|
:public_email,
|
||||||
:skype,
|
:skype,
|
||||||
:twitter,
|
:twitter,
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Prevent user passwords from being changed without providing the previous password
|
||||||
|
merge_request:
|
||||||
|
author:
|
||||||
|
type: security
|
|
@ -3,6 +3,19 @@ require('spec_helper')
|
||||||
describe ProfilesController, :request_store do
|
describe ProfilesController, :request_store do
|
||||||
let(:user) { create(:user) }
|
let(:user) { create(:user) }
|
||||||
|
|
||||||
|
describe 'POST update' do
|
||||||
|
it 'does not update password' do
|
||||||
|
sign_in(user)
|
||||||
|
|
||||||
|
expect do
|
||||||
|
post :update,
|
||||||
|
user: { password: 'hello12345', password_confirmation: 'hello12345' }
|
||||||
|
end.not_to change { user.reload.encrypted_password }
|
||||||
|
|
||||||
|
expect(response.status).to eq(302)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe 'PUT update' do
|
describe 'PUT update' do
|
||||||
it 'allows an email update from a user without an external email address' do
|
it 'allows an email update from a user without an external email address' do
|
||||||
sign_in(user)
|
sign_in(user)
|
||||||
|
|
Loading…
Reference in New Issue