From a362d62b42d5be9c8b174dee55b7a37b078fdec1 Mon Sep 17 00:00:00 2001
From: Chris Hunt <c@chrishunt.co>
Date: Tue, 11 Jun 2013 16:00:13 -0700
Subject: [PATCH] Do not return mail password in EmailController

---
 app/controllers/admin/email_controller.rb     | 31 ++++++++++++-------
 .../admin/email_controller_spec.rb            | 14 +++++++--
 2 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/app/controllers/admin/email_controller.rb b/app/controllers/admin/email_controller.rb
index eaa1f853f..f7f1f3e21 100644
--- a/app/controllers/admin/email_controller.rb
+++ b/app/controllers/admin/email_controller.rb
@@ -3,18 +3,10 @@ require_dependency 'email/renderer'
 class Admin::EmailController < Admin::AdminController
 
   def index
-
-    # For now, just show the ActionMailer settings
-    mail_settings = { delivery_method: ActionMailer::Base.delivery_method }
-
-    mail_settings[:settings] = case mail_settings[:delivery_method]
-    when :smtp
-       ActionMailer::Base.smtp_settings.map {|k, v| {name: k, value: v}}
-    when :sendmail
-      ActionMailer::Base.sendmail_settings.map {|k, v| {name: k, value: v}}
-    end
-
-    render_json_dump(mail_settings)
+    render_json_dump({
+      delivery_method: delivery_method,
+      settings: delivery_settings
+    })
   end
 
   def test
@@ -34,4 +26,19 @@ class Admin::EmailController < Admin::AdminController
     render json: MultiJson.dump(html_content: renderer.html, text_content: renderer.text)
   end
 
+  private
+
+  def delivery_settings
+    action_mailer_settings
+      .reject { |k, v| k == :password }
+      .map    { |k, v| { name: k, value: v }}
+  end
+
+  def delivery_method
+    ActionMailer::Base.delivery_method
+  end
+
+  def action_mailer_settings
+    ActionMailer::Base.public_send "#{delivery_method}_settings"
+  end
 end
diff --git a/spec/controllers/admin/email_controller_spec.rb b/spec/controllers/admin/email_controller_spec.rb
index c20810902..5314f1d29 100644
--- a/spec/controllers/admin/email_controller_spec.rb
+++ b/spec/controllers/admin/email_controller_spec.rb
@@ -10,11 +10,21 @@ describe Admin::EmailController do
 
   context '.index' do
     before do
+      subject.expects(:action_mailer_settings).returns({
+        username: 'username',
+        password: 'secret'
+      })
+
       xhr :get, :index
     end
 
-    subject { response }
-    it { should be_success }
+    it 'does not include the password in the response' do
+      mail_settings = JSON.parse(response.body)['settings']
+
+      expect(
+        mail_settings.select { |setting| setting['name'] == 'password' }
+      ).to be_empty
+    end
   end
 
   context '.logs' do