From 17f2fc10e6765d328b9c34a45815e183cca50466 Mon Sep 17 00:00:00 2001
From: Timothy Andrew <mail@timothyandrew.net>
Date: Wed, 20 Apr 2016 11:57:45 +0530
Subject: [PATCH] Change the root param while creating personal access tokens.

- Can't use `personal_access_token` anymore, because the contents
  of that param are assumed to be a token string, and authenticated
  against.
---
 app/controllers/profiles/personal_access_tokens_controller.rb | 4 +++-
 app/views/profiles/personal_access_tokens/index.html.haml     | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/app/controllers/profiles/personal_access_tokens_controller.rb b/app/controllers/profiles/personal_access_tokens_controller.rb
index 5a6026f58cb..7fbf343edbd 100644
--- a/app/controllers/profiles/personal_access_tokens_controller.rb
+++ b/app/controllers/profiles/personal_access_tokens_controller.rb
@@ -32,6 +32,8 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
   private
 
   def personal_access_token_params
-    params.require(:personal_access_token).permit(:name, :expires_at)
+    # We aren't using `personal_access_token` as the root param because the authentication
+    # system expects to find a token string there - it's off-limits to us.
+    params.require(:personal_access_token_params).permit(:name, :expires_at)
   end
 end
diff --git a/app/views/profiles/personal_access_tokens/index.html.haml b/app/views/profiles/personal_access_tokens/index.html.haml
index 77726d34fbc..72e67df4337 100644
--- a/app/views/profiles/personal_access_tokens/index.html.haml
+++ b/app/views/profiles/personal_access_tokens/index.html.haml
@@ -12,7 +12,8 @@
       Add a Personal Access Token
     %p.profile-settings-content
       Pick a name for the application, and we'll give you a unique token.
-    = form_for [:profile, @personal_access_token], method: :post, html: { class: 'js-requires-input' } do |f|
+    = form_for [:profile, @personal_access_token], as: "personal_access_token_params",
+                method: :post, html: { class: 'js-requires-input' } do |f|
 
       .form-group
         = f.label :name, class: 'label-light'
-- 
GitLab