SECURITY: Avoid mass assignment on user create

2025-05-31 14:08:32 +08:00 · 2016-08-05 11:57:13 -04:00
parent cda108da56
commit 429f27ec96
4 changed files with 101 additions and 10 deletions
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@ -382,12 +382,15 @@ describe UsersController do
      @user.password = "strongpassword"
    end

-    def post_user
-      xhr :post, :create,
-        name: @user.name,
+    let(:post_user_params) do
+      { name: @user.name,
        username: @user.username,
        password: "strongpassword",
-        email: @user.email
+        email: @user.email }
+    end
+
+    def post_user
+      xhr :post, :create, post_user_params
    end

    context 'when creating a user' do
@ -453,6 +456,79 @@ describe UsersController do
      end
    end

+    context "creating as active" do
+      it "won't create the user as active" do
+        xhr :post, :create, post_user_params.merge(active: true)
+        expect(JSON.parse(response.body)['active']).to be_falsey
+      end
+
+      context "with a regular api key" do
+        let(:user) { Fabricate(:user) }
+        let(:api_key) { Fabricate(:api_key, user: user) }
+
+        it "won't create the user as active with a regular key" do
+          xhr :post, :create, post_user_params.merge(active: true, api_key: api_key.key)
+          expect(JSON.parse(response.body)['active']).to be_falsey
+        end
+      end
+
+      context "with an admin api key" do
+        let(:user) { Fabricate(:admin) }
+        let(:api_key) { Fabricate(:api_key, user: user) }
+
+        it "creates the user as active with a regular key" do
+          xhr :post, :create, post_user_params.merge(active: true, api_key: api_key.key)
+          expect(JSON.parse(response.body)['active']).to be_truthy
+        end
+
+        it "won't create the developer as active" do
+          UsernameCheckerService.expects(:is_developer?).returns(true)
+
+          xhr :post, :create, post_user_params.merge(active: true, api_key: api_key.key)
+          expect(JSON.parse(response.body)['active']).to be_falsy
+        end
+      end
+    end
+
+    context "creating as staged" do
+      it "won't create the user as staged" do
+        xhr :post, :create, post_user_params.merge(staged: true)
+        new_user = User.where(username: post_user_params[:username]).first
+        expect(new_user.staged?).to eq(false)
+      end
+
+      context "with a regular api key" do
+        let(:user) { Fabricate(:user) }
+        let(:api_key) { Fabricate(:api_key, user: user) }
+
+        it "won't create the user as staged with a regular key" do
+          xhr :post, :create, post_user_params.merge(staged: true, api_key: api_key.key)
+          new_user = User.where(username: post_user_params[:username]).first
+          expect(new_user.staged?).to eq(false)
+        end
+      end
+
+      context "with an admin api key" do
+        let(:user) { Fabricate(:admin) }
+        let(:api_key) { Fabricate(:api_key, user: user) }
+
+        it "creates the user as staged with a regular key" do
+          xhr :post, :create, post_user_params.merge(staged: true, api_key: api_key.key)
+
+          new_user = User.where(username: post_user_params[:username]).first
+          expect(new_user.staged?).to eq(true)
+        end
+
+        it "won't create the developer as staged" do
+          UsernameCheckerService.expects(:is_developer?).returns(true)
+          xhr :post, :create, post_user_params.merge(staged: true, api_key: api_key.key)
+
+          new_user = User.where(username: post_user_params[:username]).first
+          expect(new_user.staged?).to eq(false)
+        end
+      end
+    end
+
    context 'when creating an active user (confirmed email)' do
      before { User.any_instance.stubs(:active?).returns(true) }