diff options
| author | Tiago Botelho <tiagonbotelho@hotmail.com> | 2018-05-04 19:24:55 +0200 |
|---|---|---|
| committer | Tiago Botelho <tiagonbotelho@hotmail.com> | 2018-05-07 10:29:00 +0200 |
| commit | 8417f74f23a75020a14f39d939c4dd1cc5419d07 (patch) | |
| tree | 8cbda28b16372ae6baa145078110fbcca3a2238c /spec | |
| parent | 7603beffc916d06039cac63b223d8e6234b5d666 (diff) | |
| download | gitlab-ce-8417f74f23a75020a14f39d939c4dd1cc5419d07.tar.gz | |
Remove password and password_confirmation from whitelisted params in ProfilesController to prevent password from being changed without previous password being provided
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/controllers/profiles_controller_spec.rb | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/spec/controllers/profiles_controller_spec.rb b/spec/controllers/profiles_controller_spec.rb index c621eb69171..4530a301d4d 100644 --- a/spec/controllers/profiles_controller_spec.rb +++ b/spec/controllers/profiles_controller_spec.rb @@ -3,6 +3,19 @@ require('spec_helper') describe ProfilesController, :request_store do let(:user) { create(:user) } + describe 'POST update' do + it 'does not update password' do + sign_in(user) + + expect do + post :update, + user: { password: 'hello12345', password_confirmation: 'hello12345' } + end.not_to change { user.reload.encrypted_password } + + expect(response.status).to eq(302) + end + end + describe 'PUT update' do it 'allows an email update from a user without an external email address' do sign_in(user) |