From 3faa7653d0efc76c42d5b5cb6dcb93b3a69718a9 Mon Sep 17 00:00:00 2001
From: Bob Van Landuyt <bob@vanlanduyt.co>
Date: Wed, 4 Apr 2018 09:59:35 +0200
Subject: [PATCH] Handle invalid params when trying update_username

Using strong params to require the presence of a username when calling
`update_username`. Otherwise we'd raise a `NoMethodError` validating
the paths on disk.
---
 app/controllers/profiles_controller.rb       | 6 +++++-
 spec/controllers/profiles_controller_spec.rb | 7 +++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb
index dbf61a17724..3d27ae18b17 100644
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -51,7 +51,7 @@ class ProfilesController < Profiles::ApplicationController
   end
 
   def update_username
-    result = Users::UpdateService.new(current_user, user: @user, username: user_params[:username]).execute
+    result = Users::UpdateService.new(current_user, user: @user, username: username_param).execute
 
     options = if result[:status] == :success
                 { notice: "Username successfully changed" }
@@ -72,6 +72,10 @@ class ProfilesController < Profiles::ApplicationController
     return render_404 unless @user.can_change_username?
   end
 
+  def username_param
+    @username_param ||= user_params.require(:username)
+  end
+
   def user_params
     @user_params ||= params.require(:user).permit(
       :avatar,
diff --git a/spec/controllers/profiles_controller_spec.rb b/spec/controllers/profiles_controller_spec.rb
index 03cbbb21e62..891485406c6 100644
--- a/spec/controllers/profiles_controller_spec.rb
+++ b/spec/controllers/profiles_controller_spec.rb
@@ -84,6 +84,13 @@ describe ProfilesController, :request_store do
       expect(user.username).to eq(new_username)
     end
 
+    it 'raises a correct error when the username is missing' do
+      sign_in(user)
+
+      expect { put :update_username, user: { gandalf: 'you shall not pass' } }
+        .to raise_error(ActionController::ParameterMissing)
+    end
+
     context 'with legacy storage' do
       it 'moves dependent projects to new namespace' do
         project = create(:project_empty_repo, :legacy_storage, namespace: namespace)
-- 
2.30.9