From 43ee2dbb50bef30e23583776cf1e8821b59aa4b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonne=20Ha=C3=9F?= <me@jhass.eu>
Date: Wed, 27 Apr 2022 19:48:42 +0200
Subject: [PATCH] Do not allow to mass assign OTP fields on user edit page
---
app/controllers/users_controller.rb | 2 -
.../two_factor_authentications/_activate.haml | 1 -
spec/controllers/users_controller_spec.rb | 44 +++++++++++++------
3 files changed, 30 insertions(+), 17 deletions(-)
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 7f03479dad..99a0297a0d 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -140,8 +140,6 @@ class UsersController < ApplicationController
:auto_follow_back_aspect_id,
:getting_started,
:post_default_public,
- :otp_required_for_login,
- :otp_secret,
email_preferences: UserPreference::VALID_EMAIL_TYPES.map(&:to_sym)
)
end
diff --git a/app/views/two_factor_authentications/_activate.haml b/app/views/two_factor_authentications/_activate.haml
index ef6b0a7ff2..960f48e6bd 100644
--- a/app/views/two_factor_authentications/_activate.haml
+++ b/app/views/two_factor_authentications/_activate.haml
@@ -6,6 +6,5 @@
.well= t("two_factor_auth.deactivated.status")
= form_for "user", url: two_factor_authentication_path, html: {method: :post} do |f|
- = f.hidden_field :otp_required_for_login, value: true
.clearfix.form-group= f.submit t("two_factor_auth.deactivated.change_button"),
class: "btn btn-primary pull-right"
diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
index 3b88d883b9..ac3e797271 100644
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -110,21 +110,20 @@ describe UsersController, :type => :controller do
end
end
- describe '#update' do
- before do
- @params = { :id => @user.id,
- :user => { :diaspora_handle => "notreal@stuff.com" } }
- end
-
- it "doesn't overwrite random attributes" do
- expect {
- put :update, params: @params
- }.not_to change(@user, :diaspora_handle)
- end
+ describe "#update" do
+ context "with random params" do
+ let(:params) { {id: @user.id, user: {diaspora_handle: "notreal@stuff.com"}} }
+
+ it "doesn't overwrite random attributes" do
+ expect {
+ put :update, params: params
+ }.not_to change(@user, :diaspora_handle)
+ end
- it 'renders the user edit page' do
- put :update, params: @params
- expect(response).to render_template('edit')
+ it "renders the user edit page" do
+ put :update, params: params
+ expect(response).to render_template('edit')
+ end
end
describe "password updates" do
@@ -158,6 +157,23 @@ describe UsersController, :type => :controller do
end
end
+ context "with otp params" do
+ let(:otp_params) { {otp_required_for_login: false, otp_secret: "mykey"} }
+ let(:params) { {id: @user.id, user: otp_params} }
+
+ before do
+ allow(@controller).to receive(:current_user).and_return(@user)
+ allow(@user).to receive(:update_attributes)
+ end
+
+ it "does not accept the params" do
+ put :update, params: params
+
+ expect(@user).not_to have_received(:update_attributes)
+ .with(hash_including(:otp_required_for_login, :otp_secret))
+ end
+ end
+
describe 'language' do
it "allows the user to change their language" do
old_language = 'en'
--
GitLab