From b1a388249641acd2f72e4425b45c5adacddefb86 Mon Sep 17 00:00:00 2001
From: chrismo <chrismo@clabs.org>
Date: Tue, 1 Oct 2013 17:14:21 -0500
Subject: [PATCH] Mass assignment spec added

---
 .rspec                                |  1 +
 spec/features/mass_assignment_spec.rb | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 spec/features/mass_assignment_spec.rb

diff --git a/.rspec b/.rspec
index 4e1e0d2..9fc14ad 100644
--- a/.rspec
+++ b/.rspec
@@ -1 +1,2 @@
 --color
+--backtrace
\ No newline at end of file
diff --git a/spec/features/mass_assignment_spec.rb b/spec/features/mass_assignment_spec.rb
new file mode 100644
index 0000000..a818656
--- /dev/null
+++ b/spec/features/mass_assignment_spec.rb
@@ -0,0 +1,22 @@
+require 'spec_helper'
+
+feature 'sql injection' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'mass assignment attack on account_settings' do
+    @normal_user.admin.should be_false
+
+    login(@normal_user)
+
+    params = {:user => {:admin => 't',
+                        :user_id => @normal_user.user_id,
+                        :password => @normal_user.clear_password,
+                        :password_confirmation => @normal_user.clear_password}}
+    page.driver.put "/users/#{@normal_user.user_id}.json", params
+
+    @normal_user.reload.admin.should be_true
+  end
+end
\ No newline at end of file