krikkert/habitica
1
0
Fork 0
mirror of https://github.com/HabitRPG/habitica.git synced 2025-12-18 15:17:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Prevent class from being changed via PUT /user

Browse Source
This commit is contained in:
Blade Barringer
2015-10-26 17:25:51 -05:00
parent c7b162271c
commit 13bca6b9a9
2 changed files with 22 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
test/api/user/PUT-user.test.js
View File

@@ -53,4 +53,23 @@ describe.only('PUT /user', () => {
});
});
});
context('sub-level protected paths', () => {
let protectedPaths = {
'class stat': {'stats.class': 'wizard'},
};
each(protectedPaths, (data, testName) => {
it(`does not allow updating ${testName}`, () => {
let errorText = [];
each(data, (value, path) => {
errorText.push(`path \`${path}\` was not saved, as it's a protected path. See https://github.com/HabitRPG/habitrpg/blob/develop/API.md for PUT /api/v2/user.`);
});
return expect(api.put('/user', data)).to.eventually.be.rejected.and.eql({
code: 401,
text: errorText,
});
});
});
});
});

7
website/src/controllers/user.js
View File

@@ -298,10 +298,9 @@ acceptablePUTPaths = _.reduce(require('./../models/user').schema.paths, function
return m;
}, {})
//// Uncomment this if we we want to disable GP-restoring (eg, holiday events)
//_.each('stats.gp'.split(' '), function(removePath){
// delete acceptablePUTPaths[removePath];
//})
_.each('stats.class'.split(' '), function(removePath){
delete acceptablePUTPaths[removePath];
})
/**
* Update user