team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

verifying user exists before trying to update

Browse Source
This commit is contained in:
Mike McCabe
2013-10-09 11:08:39 -04:00
parent a93159c9f2
commit bbed455178
1 changed files with 25 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/users_controller.rb
+25 -20
View File
@@ -1,12 +1,12 @@
class UsersController < ApplicationController class UsersController < ApplicationController
skip_before_filter :has_info skip_before_filter :has_info
skip_before_filter :authenticated, :only => [:new, :create] skip_before_filter :authenticated, :only => [:new, :create]
def new def new
@user = User.new @user = User.new
end end
def create def create
user = User.new(params[:user]) user = User.new(params[:user])
user.build_benefits_data user.build_benefits_data
@@ -19,32 +19,37 @@ class UsersController < ApplicationController
redirect_to :sign_up redirect_to :sign_up
end end
end end
def account_settings def account_settings
@user = current_user @user = current_user
end end
def update def update
message = false message = false
#Safest #Safest
# user = current_user # user = current_user
# Still an Insecure DoR vulnerability # Still an Insecure DoR vulnerability
#user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"]) #user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"])
user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'")
user.skip_user_id_assign = true if user
user.skip_hash_password = true user.skip_user_id_assign = true
user.update_attributes(params[:user].reject { |k| %w(password password_confirmation user_id).include? k }) user.skip_hash_password = true
if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation]) user.update_attributes(params[:user].reject { |k| %w(password password_confirmation user_id).include? k })
user.skip_hash_password = false if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation])
user.password = params[:user][:password] user.skip_hash_password = false
end user.password = params[:user][:password]
message = true if user.save! end
respond_to do |format| message = true if user.save!
format.html { redirect_to user_account_settings_path(:user_id => current_user.user_id) } respond_to do |format|
format.json { render :json => {:msg => message ? "success" : "false "} } format.html { redirect_to user_account_settings_path(:user_id => current_user.user_id) }
format.json { render :json => {:msg => message ? "success" : "false "} }
end
else
flash[:error] = "Could not update user!"
redirect_to user_account_settings_path(:user_id => current_user.user_id)
end end
end end
end end