summaryrefslogtreecommitdiff
path: root/spec/controllers/profiles_controller_spec.rb
diff options
context:
space:
mode:
authorTiago Botelho <tiagonbotelho@hotmail.com>2018-05-04 19:24:55 +0200
committerTiago Botelho <tiagonbotelho@hotmail.com>2018-05-07 10:29:00 +0200
commit8417f74f23a75020a14f39d939c4dd1cc5419d07 (patch)
tree8cbda28b16372ae6baa145078110fbcca3a2238c /spec/controllers/profiles_controller_spec.rb
parent7603beffc916d06039cac63b223d8e6234b5d666 (diff)
downloadgitlab-ce-8417f74f23a75020a14f39d939c4dd1cc5419d07.tar.gz
Remove password and password_confirmation from whitelisted params in ProfilesController to prevent password from being changed without previous password being provided
Diffstat (limited to 'spec/controllers/profiles_controller_spec.rb')
-rw-r--r--spec/controllers/profiles_controller_spec.rb13
1 files changed, 13 insertions, 0 deletions
diff --git a/spec/controllers/profiles_controller_spec.rb b/spec/controllers/profiles_controller_spec.rb
index c621eb69171..4530a301d4d 100644
--- a/spec/controllers/profiles_controller_spec.rb
+++ b/spec/controllers/profiles_controller_spec.rb
@@ -3,6 +3,19 @@ require('spec_helper')
describe ProfilesController, :request_store do
let(:user) { create(:user) }
+ describe 'POST update' do
+ it 'does not update password' do
+ sign_in(user)
+
+ expect do
+ post :update,
+ user: { password: 'hello12345', password_confirmation: 'hello12345' }
+ end.not_to change { user.reload.encrypted_password }
+
+ expect(response.status).to eq(302)
+ end
+ end
+
describe 'PUT update' do
it 'allows an email update from a user without an external email address' do
sign_in(user)
View Lorry Controller Status