Do not return mail password in EmailController

app/controllers/admin/email_controller.rb

@@ -3,18 +3,10 @@ require_dependency 'email/renderer'
 class Admin::EmailController < Admin::AdminController
 
   def index
-
+    render_json_dump({
-    # For now, just show the ActionMailer settings
+      delivery_method: delivery_method,
-    mail_settings = { delivery_method: ActionMailer::Base.delivery_method }
+      settings: delivery_settings
-
+    })
-    mail_settings[:settings] = case mail_settings[:delivery_method]
-    when :smtp
-       ActionMailer::Base.smtp_settings.map {|k, v| {name: k, value: v}}
-    when :sendmail
-      ActionMailer::Base.sendmail_settings.map {|k, v| {name: k, value: v}}
-    end
-
-    render_json_dump(mail_settings)
   end
 
   def test
@@ -34,4 +26,19 @@ class Admin::EmailController < Admin::AdminController
     render json: MultiJson.dump(html_content: renderer.html, text_content: renderer.text)
   end
 
+  private
+
+  def delivery_settings
+    action_mailer_settings
+      .reject { |k, v| k == :password }
+      .map    { |k, v| { name: k, value: v }}
+  end
+
+  def delivery_method
+    ActionMailer::Base.delivery_method
+  end
+
+  def action_mailer_settings
+    ActionMailer::Base.public_send "#{delivery_method}_settings"
+  end
 end

spec/controllers/admin/email_controller_spec.rb

@@ -10,11 +10,21 @@ describe Admin::EmailController do
 
   context '.index' do
     before do
+      subject.expects(:action_mailer_settings).returns({
+        username: 'username',
+        password: 'secret'
+      })
+
       xhr :get, :index
     end
 
-    subject { response }
+    it 'does not include the password in the response' do
-    it { should be_success }
+      mail_settings = JSON.parse(response.body)['settings']
+
+      expect(
+        mail_settings.select { |setting| setting['name'] == 'password' }
+      ).to be_empty
+    end
   end
 
   context '.logs' do