Skip to content

Remove mass-assignment from :password_archivable #68

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
olbrich merged 6 commits into from
Mar 2, 2019
Merged

Remove mass-assignment from :password_archivable #68

olbrich merged 6 commits into from
Mar 2, 2019

Conversation

@npalrecha
Copy link
Contributor

@npalrecha npalrecha commented Dec 13, 2018
edited
Loading

You are required to use attr_accessible in order to instantiate and set encrypted_password in the same line using .new. encrypted_password shouldn't be mass-assignable. This change removes the necessity of encrypted_password to be mass-assignable.

@npalrecha
Removing mass assignment
1570487 
changed > 0 to .positive?
@olbrich
Copy link
Contributor

olbrich commented Dec 13, 2018

Please add a description/explanation for why this change is necessary / useful.

@shaicoleman
Copy link

shaicoleman commented Jan 3, 2019

This fixes a bug where devise-security skips the password history check in certain cases,
e.g. using the protected_attributes_continued gem and not having :encrypted_password in attr_accessible.

There are other instances in the codebase where there's mass assignment, but this is a start

@olbrich olbrich added this to the 0.14.0 milestone Jan 12, 2019
@olbrich olbrich self-assigned this Jan 12, 2019
@olbrich olbrich added the #️⃣.#️⃣.#️⃣ Patch backwards-compatible bug fixes label Jan 13, 2019
@natebird natebird requested a review from olbrich January 23, 2019 14:34
@dillonwelch
Copy link
Contributor

dillonwelch commented Feb 23, 2019

Can you add a regression test?

@devise-security devise-security deleted a comment from coveralls Mar 2, 2019
@devise-security devise-security deleted a comment from coveralls Mar 2, 2019
@devise-security devise-security deleted a comment from coveralls Mar 2, 2019
olbrich
olbrich approved these changes Mar 2, 2019
View reviewed changes
Copy link
Contributor

@olbrich olbrich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@oniofchaos I don't think additional regression tests are necessary. This method is pretty well covered.

@devise-security devise-security deleted a comment from coveralls Mar 2, 2019
@olbrich olbrich merged commit f68836f into devise-security:master Mar 2, 2019
@npalrecha npalrecha deleted the bugfix/avoid-mass-assignment branch March 11, 2019 18:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olbrich olbrich olbrich approved these changes

Assignees

@olbrich olbrich

Labels

🐛 bug #️⃣.#️⃣.#️⃣ Patch backwards-compatible bug fixes

Projects

None yet

Milestone

0.14.0

Development

Successfully merging this pull request may close these issues.

5 participants

@npalrecha @olbrich @shaicoleman @dillonwelch @natebird