Do not allow the user to mass assign their own password alongside other

parameters Much thanks to Breno Vitório (@brenu) for the report!

Do not allow the user to mass assign their own password alongside other
1cfe0037 · Jonne Haß · 6ad4eb3b · 1cfe0037 · 1cfe0037
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -18,25 +18,17 @@ class UsersController < ApplicationController
  end

  def update
-    password_changed = false
-    user_data = user_params
    @user = current_user

-    if user_data
-      # change password
-      if params[:change_password]
-        password_changed = change_password(user_data)
-      else
-        update_user(user_data)
-      end
+    if params[:change_password] && user_password_params
+      password_changed = change_password(user_password_params)
+      return redirect_to new_user_session_path if password_changed
+    elsif user_params
+      update_user(user_params)
    end

-    if password_changed
-      redirect_to new_user_session_path
-    else
-      set_email_preferences
-      render :edit
-    end
+    set_email_preferences
+    render :edit
  end

  def update_privacy_settings
@@ -137,13 +129,9 @@ class UsersController < ApplicationController

  private

-  # rubocop:disable Metrics/MethodLength
  def user_params
    params.fetch(:user).permit(
      :email,
-      :current_password,
-      :password,
-      :password_confirmation,
      :language,
      :color_theme,
      :disable_mail,
@@ -157,7 +145,14 @@ class UsersController < ApplicationController
      email_preferences: UserPreference::VALID_EMAIL_TYPES.map(&:to_sym)
    )
  end
-  # rubocop:enable Metrics/MethodLength
+
+  def user_password_params
+    params.fetch(:user).permit(
+      :current_password,
+      :password,
+      :password_confirmation
+    )
+  end

  def update_user(user_data)
    if user_data[:email_preferences]
@@ -177,8 +172,8 @@ class UsersController < ApplicationController
    end
  end

-  def change_password(user_data)
-    if @user.update_with_password(user_data)
+  def change_password(password_params)
+    if @user.update_with_password(password_params)
      flash[:notice] = t("users.update.password_changed")
      true
    else

--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -127,21 +127,34 @@ describe UsersController, :type => :controller do
      expect(response).to render_template('edit')
    end

-    describe 'password updates' do
+    describe "password updates" do
      let(:password_params) do
-        {:current_password => 'bluepin7',
-         :password => "foobaz",
-         :password_confirmation => "foobaz"}
+        {current_password: "bluepin7", password: "foobaz", password_confirmation: "foobaz"}
      end

      let(:params) do
-        {id: @user.id, user: password_params, change_password: 'Change Password'}
+        {id: @user.id, user: password_params, change_password: "Change Password"}
      end

-      it "uses devise's update with password" do
-        expect(@user).to receive(:update_with_password).with(hash_including(password_params))
+      before do
        allow(@controller).to receive(:current_user).and_return(@user)
+        allow(@user).to receive(:update_with_password)
+        allow(@user).to receive(:update_attributes)
+      end
+
+      it "uses devise's update with password" do
        put :update, params: params
+
+        expect(@user).to have_received(:update_with_password).with(hash_including(password_params))
+        expect(@user).not_to have_received(:update_attributes).with(hash_including(password_params))
+      end
+
+      it "does not update the password without the change_password param" do
+        put :update, params: params.except(:change_password).deep_merge(user: {language: "de"})
+
+        expect(@user).not_to have_received(:update_with_password).with(hash_including(password_params))
+        expect(@user).not_to have_received(:update_attributes).with(hash_including(password_params))
+        expect(@user).to have_received(:update_attributes).with(hash_including(language: "de"))
      end
    end