From: Marin Jankovski <maxlazio@gmail.com>
Date: Wed, 26 Sep 2012 11:20:44 +0000 (+0200)
Subject: Protect users projects_limit from mass assignment.
X-Git-Tag: v3.0.0~120^2
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=5928388b1c5b41cf11471391b3ec6226167132fd;p=wvm%2Fgitlab.git

Protect users projects_limit from mass assignment.
---

diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index e2d618640..c9586ad5d 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -30,7 +30,7 @@ class Admin::UsersController < AdminController
 
 
   def new
-    @admin_user = User.new(projects_limit: Gitlab.config.default_projects_limit)
+    @admin_user = User.new({ projects_limit: Gitlab.config.default_projects_limit }, as: :admin)
   end
 
   def edit
@@ -60,7 +60,7 @@ class Admin::UsersController < AdminController
   def create
     admin = params[:user].delete("admin")
 
-    @admin_user = User.new(params[:user])
+    @admin_user = User.new(params[:user], as: :admin)
     @admin_user.admin = (admin && admin.to_i > 0)
 
     respond_to do |format|
@@ -86,7 +86,7 @@ class Admin::UsersController < AdminController
     @admin_user.admin = (admin && admin.to_i > 0)
 
     respond_to do |format|
-      if @admin_user.update_attributes(params[:user])
+      if @admin_user.update_attributes(params[:user], as: :admin)
         format.html { redirect_to [:admin, @admin_user], notice: 'User was successfully updated.' }
         format.json { head :ok }
       else
diff --git a/app/models/user.rb b/app/models/user.rb
index 478767227..a8626cc18 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -6,8 +6,9 @@ class User < ActiveRecord::Base
          :recoverable, :rememberable, :trackable, :validatable, :omniauthable
 
   attr_accessible :email, :password, :password_confirmation, :remember_me, :bio,
-                  :name, :projects_limit, :skype, :linkedin, :twitter, :dark_scheme,
-                  :theme_id, :force_random_password, :extern_uid, :provider
+                  :name, :skype, :linkedin, :twitter, :dark_scheme,
+                  :theme_id, :force_random_password, :extern_uid, :provider, :as => [:default, :admin]
+  attr_accessible :projects_limit, :as => :admin
 
   attr_accessor :force_random_password
 
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 081767543..14a373e10 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -73,4 +73,30 @@ describe User do
       user.authentication_token.should_not be_blank
     end
   end
+
+  describe "attributes can be changed by a regular user" do
+    before do
+      @user = Factory :user
+      @user.update_attributes(skype: "testskype", linkedin: "testlinkedin")
+    end
+    it { @user.skype.should == 'testskype' }
+    it { @user.linkedin.should == 'testlinkedin' }
+  end
+
+  describe "attributes that shouldn't be changed by a regular user" do
+    before do
+      @user = Factory :user
+      @user.update_attributes(projects_limit: 50)
+    end
+    it { @user.projects_limit.should_not == 50 }
+  end
+
+  describe "attributes can be changed by an admin user" do
+    before do
+      @admin_user = Factory :admin
+      @admin_user.update_attributes({ skype: "testskype", projects_limit: 50 }, as: :admin)
+    end
+    it { @admin_user.skype.should == 'testskype' }
+    it { @admin_user.projects_limit.should == 50 }
+  end
 end