User: Make sure force_password_change can only be activated if allowed

pull/1121/head
Michael Frister 11 years ago
parent 50b4942377
commit 43c21cf09a
  1. 5
      app/controllers/users_controller.rb
  2. 8
      app/models/permitted_params.rb

@ -115,7 +115,7 @@ class UsersController < ApplicationController
verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
def create
@user = User.new(:language => Setting.default_language, :mail_notification => Setting.default_notification_option)
@user.attributes = permitted_params.user_create_as_admin(false)
@user.attributes = permitted_params.user_create_as_admin(false, @user.change_password_allowed?)
@user.admin = params[:user][:admin] || false
if @user.change_password_allowed?
@ -164,7 +164,8 @@ class UsersController < ApplicationController
verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
def update
@user.attributes = permitted_params.user_update_as_admin(@user.uses_external_authentication?)
@user.attributes = permitted_params.user_update_as_admin(@user.uses_external_authentication?,
@user.change_password_allowed?)
if @user.change_password_allowed?
if params[:user][:assign_random_password]

@ -198,22 +198,22 @@ class PermittedParams < Struct.new(:params, :current_user)
permitted_params
end
def user_update_as_admin(external_authentication)
def user_update_as_admin(external_authentication, change_password_allowed)
# Found group_ids in safe_attributes and added them here as I
# didn't know the consequences of removing these.
# They were not allowed on create.
user_create_as_admin(external_authentication, [:group_ids => []])
user_create_as_admin(external_authentication, change_password_allowed, [:group_ids => []])
end
def user_create_as_admin(external_authentication, additional_params = [])
def user_create_as_admin(external_authentication, change_password_allowed, additional_params = [])
if current_user.admin?
additional_params << :auth_source_id unless external_authentication
additional_params << :force_password_change if change_password_allowed
allowed_params = self.class.permitted_attributes[:user] + \
additional_params + \
[ :admin,
:auth_source_id,
:force_password_change,
:login ]
permitted_params = params.require(:user).permit(*allowed_params)

Loading…
Cancel
Save