diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb index 33060f508..ba912ccbe 100644 --- a/app/controllers/api/v1/users_controller.rb +++ b/app/controllers/api/v1/users_controller.rb @@ -16,7 +16,7 @@ class Api::V1::UsersController < Api::V1::BaseController def update user_params = params[:user] || {} send_confirmation = user_params[:email] != @user.email - if @user.update_without_password(user_params) + if @user.update_without_password(subject_params(User)) if send_confirmation @user.confirmed_at, @user.confirmation_sent_at = nil @user.send_confirmation_instructions @@ -29,7 +29,7 @@ class Api::V1::UsersController < Api::V1::BaseController def notifiers if request.put? - if @user.notifier.update_attributes(params[:notifiers]) + if @user.notifier.update_attributes(notifier_params) render_json_response @user, 'User notification settings have been updated successfully' else render_json_response @user, error_message(@user.notifier, 'User notification settings have not been updated'), 422 @@ -39,6 +39,10 @@ class Api::V1::UsersController < Api::V1::BaseController protected + def notifier_params + permit_params(:notifiers, *policy(SettingsNotifier).permitted_attributes) + end + def set_current_user authorize @user = current_user end diff --git a/app/models/settings_notifier.rb b/app/models/settings_notifier.rb index 8be1ce702..559935bb6 100644 --- a/app/models/settings_notifier.rb +++ b/app/models/settings_notifier.rb @@ -3,16 +3,4 @@ class SettingsNotifier < ActiveRecord::Base validates :user, presence: true - # attr_accessible :can_notify, - # :update_code, - # :new_comment_commit_owner, - # :new_comment_commit_repo_owner, - # :new_comment_commit_commentor, - # :new_comment, - # :new_comment_reply, - # :new_issue, - # :issue_assign, - # :new_build, - # :new_associated_build - end diff --git a/app/models/user.rb b/app/models/user.rb index b17711138..7166ac551 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -56,8 +56,6 @@ class User < Avatar validates :role, inclusion: { in: EXTENDED_ROLES }, allow_blank: true validates :language, inclusion: { in: LANGUAGES }, allow_blank: true - # attr_accessible :email, :password, :password_confirmation, :current_password, :remember_me, :login, :name, :uname, :language, - # :site, :company, :professional_experience, :location, :sound_notifications, :hide_email, :delete_avatar attr_readonly :uname attr_accessor :login, :delete_avatar diff --git a/app/policies/settings_notifier_policy.rb b/app/policies/settings_notifier_policy.rb new file mode 100644 index 000000000..665a567ab --- /dev/null +++ b/app/policies/settings_notifier_policy.rb @@ -0,0 +1,22 @@ +class SettingsNotifierPolicy < ApplicationPolicy + + # Public: Get list of parameters that the user is allowed to alter. + # + # Returns Array + def permitted_attributes + %i( + can_notify + update_code + new_comment_commit_owner + new_comment_commit_repo_owner + new_comment_commit_commentor + new_comment + new_comment_reply + new_issue + issue_assign + new_build + new_associated_build + ) + end + +end diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index 2b4a9467a..71a1cbd2a 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -11,6 +11,30 @@ class UserPolicy < ApplicationPolicy alias_method :show_current_user?, :update? alias_method :write?, :update? + # Public: Get list of parameters that the user is allowed to alter. + # + # Returns Array + def permitted_attributes + %i( + company + current_password + delete_avatar + email + hide_email + language + location + login + name + password + password_confirmation + professional_experience + remember_me + site + sound_notifications + uname + ) + end + class Scope < Scope def show scope