From 08b6a98e397e1514b5c182070d9d1c82dbea217d Mon Sep 17 00:00:00 2001 From: Luis Castro Date: Tue, 6 Aug 2019 14:39:48 +0200 Subject: [PATCH] feat(cards): add strong params --- app/controllers/cards_controller.rb | 8 +++++++- app/models/card.rb | 22 ++++++++++------------ 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/app/controllers/cards_controller.rb b/app/controllers/cards_controller.rb index 2d13af20..d55bc5b5 100755 --- a/app/controllers/cards_controller.rb +++ b/app/controllers/cards_controller.rb @@ -6,7 +6,7 @@ class CardsController < ApplicationController # post /cards def create - acct = Supporter.find(params[:card][:holder_id]).nonprofit.stripe_account_id + acct = Supporter.find(card_params[:holder_id]).nonprofit.stripe_account_id render( JsonResp.new(params) do |_d| requires(:card).nested do @@ -19,4 +19,10 @@ class CardsController < ApplicationController end ) end + + private + + def card_params + params.require(:card).permit(:cardholders_name, :email, :name, :failure_message, :status, :stripe_card_token, :stripe_card_id, :stripe_customer_id, :holder, :inactive) + end end diff --git a/app/models/card.rb b/app/models/card.rb index b5739b84..4a1b92d0 100755 --- a/app/models/card.rb +++ b/app/models/card.rb @@ -2,18 +2,16 @@ # License: AGPL-3.0-or-later WITH Web-Template-Output-Additional-Permission-3.0-or-later class Card < ApplicationRecord - # TODO - # attr_accessible \ - # :cardholders_name, # str (name associated with this card) - # :email, # str (cache the email associated with this card) - # :name, # str (readable card name, eg. Visa *1234) - # :failure_message, # accessor for temporarily storing the stripe decline message - # :status, # str - # :stripe_card_token, # str - # :stripe_card_id, # str - # :stripe_customer_id, # str - # :holder, :holder_id, :holder_type, # polymorphic cardholder association - # :inactive # a card is inactive. This is currently only meaningful for nonprofit cards + # :cardholders_name, # str (name associated with this card) + # :email, # str (cache the email associated with this card) + # :name, # str (readable card name, eg. Visa *1234) + # :failure_message, # accessor for temporarily storing the stripe decline message + # :status, # str + # :stripe_card_token, # str + # :stripe_card_id, # str + # :stripe_customer_id, # str + # :holder, :holder_id, :holder_type, # polymorphic cardholder association + # :inactive # a card is inactive. This is currently only meaningful for nonprofit cards attr_accessor :failure_message