Skip to content
Permalink
Browse files Browse the repository at this point in the history
Remove Mass Assignment of Role IDs
  • Loading branch information
LBRapid committed Feb 25, 2013
1 parent 9a60b28 commit 038d747
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 1 deletion.
41 changes: 41 additions & 0 deletions app/controllers/spree/admin/users_controller.rb
Expand Up @@ -16,6 +16,47 @@ def index
end
end

def create
if params[:user]
roles = params[:user].delete("spree_role_ids")
end

@user = Spree::User.new(params[:user])
if @user.save

if roles
@user.spree_roles = roles.reject(&:blank?).collect{|r| Spree::Role.find(r)}
end

flash.now[:notice] = t(:created_successfully)
render :edit
else
render :new
end
end

def update
if params[:user]
roles = params[:user].delete("spree_role_ids")
end

if @user.update_attributes(params[:user])
if roles
@user.spree_roles = roles.reject(&:blank?).collect{|r| Spree::Role.find(r)}
end

if params[:user][:password].present?
# this logic needed b/c devise wants to log us out after password changes
user = Spree::User.reset_password_by_token(params[:user])
sign_in(@user, :event => :authentication, :bypass => !Spree::Auth::Config[:signout_after_password_change])
end
flash.now[:notice] = t(:account_updated)
render :edit
else
render :edit
end
end

def generate_api_key
if @user.generate_spree_api_key!
flash.notice = t('key_generated', :scope => 'spree.api')
Expand Down
2 changes: 1 addition & 1 deletion app/models/spree/user.rb
Expand Up @@ -14,7 +14,7 @@ class User < ActiveRecord::Base
before_destroy :check_completed_orders

# Setup accessible (or protected) attributes for your model
attr_accessible :email, :password, :password_confirmation, :remember_me, :persistence_token, :login, :spree_role_ids
attr_accessible :email, :password, :password_confirmation, :remember_me, :persistence_token, :login

users_table_name = User.table_name
roles_table_name = Role.table_name
Expand Down
5 changes: 5 additions & 0 deletions spec/controllers/spree/users_controller_spec.rb
Expand Up @@ -3,6 +3,7 @@
describe Spree::UsersController do
let(:admin_user) { create(:user) }
let(:user) { create(:user) }
let(:role) { create(:role) }

before do
controller.stub(:spree_current_user => user)
Expand All @@ -23,5 +24,9 @@
response.should redirect_to(spree.account_url(:only_path => true))
end
end

it 'should not update roles' do
expect { spree_put :update, { :user => { :spree_role_ids => [role.id] } }}.to raise_exception(ActiveModel::MassAssignmentSecurity::Error)
end
end
end

0 comments on commit 038d747

Please sign in to comment.