Remove mass-assignment from :password_archivable (#68)

* Removing mass assignment * changed > 0 to .positive?
devise-security · Mar 2, 2019 · f68836f · f68836f
1 parent bae68f6
commit f68836f
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/lib/devise-security/models/password_archivable.rb b/lib/devise-security/models/password_archivable.rb
@@ -39,12 +39,15 @@ def max_old_passwords
       # @return [true] if current password was used previously
       # @return [false] if disabled or not previously used
       def password_archive_included?
-        return false unless max_old_passwords > 0
+        return false unless max_old_passwords.positive?
 
         old_passwords_including_cur_change = old_passwords.order(created_at: :desc).limit(max_old_passwords).pluck(:encrypted_password)
         old_passwords_including_cur_change << encrypted_password_was # include most recent change in list, but don't save it yet!
         old_passwords_including_cur_change.any? do |old_password|
-          self.class.new(encrypted_password: old_password).valid_password?(password)
+          # NOTE: we deliberately do not do mass assignment here so that users that
+          #   rely on `protected_attributes_continued` gem can still use this extension.
+          #   See issue #68
+          self.class.new.tap { |object| object.encrypted_password = old_password }.valid_password?(password)
         end
       end
 
@@ -66,7 +69,7 @@ def archive_count
       # @note we check to see if an old password has already been archived because
       #   mongoid will keep re-triggering this callback when we add an old password
       def archive_password
-        if max_old_passwords > 0
+        if max_old_passwords.positive?
           return true if old_passwords.where(encrypted_password: encrypted_password_was).exists?
 
           old_passwords.create!(encrypted_password: encrypted_password_was) if encrypted_password_was.present?

diff --git a/test/test_helper.rb b/test/test_helper.rb
@@ -7,7 +7,8 @@
 SimpleCov.start do
   add_filter 'gemfiles'
   add_group 'Tests', 'test'
-  add_group 'Password Expirable', "password_expirable"
+  add_group 'Password Archivable', 'password_archivable'
+  add_group 'Password Expirable', 'password_expirable'
 end
 
 if ENV['CI']