Skip to content

GitLab

Closed
Created by Administrator@rootOwner

Error updating projects_limit via API

Created by: hack006

Projects_limit can't be updated via API because of mass assigment protection.

In the code /lib/api/users.rb

# line: 73
 put ":id" do
        authenticated_as_admin!

        # projects_limit available here
        attrs = attributes_for_keys [:email, :name, :password, :skype, :linkedin, :twitter, :projects_limit, :username, :extern_uid, :provider, :bio] 
        user = User.find(params[:id])
        not_found!("User not found") unless user

        if user.update_attributes(attrs) # ERR!! projects_limit must be updated as :admin else sanitized and NOT updated   
          present user, with: Entities::User
        else
          not_found!
        end
      end

REPRODUCE

curl -X PUT -i --data "private_token={admin_private_token}&projects_limit=20&twitter=new_value" {gitlab_api_uri}/users/{user_id}

FIX

# ...
# line: 80
if user.update_attributes attrs, as: :admin # now successfully passed via mass assigment sanitizer :) 
#...