Prevent CSRF bypass updating account details

[rails.git] / test / controllers / users_controller_test.rb

diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
index 03657d2883dbfc6b26669f13e2b907b7e1e71b40..02e5db7db25dd54d5cd3ae5d19f85817040fca82 100644 (file)
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@@ -949,6 +949,14 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
       assert_equal "/user/#{ERB::Util.u(user.display_name)}/account", form.attr("action").to_s
     end
 
+    # Updating the description using GET should fail
+    user.description = "new description"
+    user.preferred_editor = "default"
+    get user_account_path(user), :params => { :user => user.attributes }
+    assert_response :success
+    assert_template :account
+    assert_not_equal user.description, User.find(user.id).description
+
     # Updating the description should work
     user.description = "new description"
     user.preferred_editor = "default"