feat(custom_field_join): add strong params

Using permit with a limited list of params
2019-08-06 14:49:08 +02:00 · 2019-08-06 14:49:08 +02:00 · 65bd361b3f
commit 65bd361b3f
parent c9fba40183
2 changed files with 19 additions and 13 deletions
--- a/app/controllers/nonprofits/custom_field_joins_controller.rb
+++ b/app/controllers/nonprofits/custom_field_joins_controller.rb
@ -8,7 +8,7 @@ module Nonprofits

    def index
      @custom_field_joins = current_nonprofit
-                            .supporters.find(params[:supporter_id])
+                            .supporters.find(custom_field_params[:supporter_id])
                            .custom_field_joins
                            .order('created_at DESC')
    end
@ -16,24 +16,30 @@ module Nonprofits
    # used for modify a single supporter's custom fields or a group of
    # selected supporters' CFs or all supporters' CFs
    def modify
-      if params[:custom_fields].blank? || params[:custom_fields].empty?
+      if custom_field_params[:custom_fields].blank? || custom_field_params[:custom_fields].empty?
        render json: {}
        return
      end

-      if params[:selecting_all]
-        supporter_ids = QuerySupporters.full_filter_expr(current_nonprofit.id, params[:query]).select('supporters.id').execute.map { |h| h['id'] }
+      if custom_field_params[:selecting_all]
+        supporter_ids = QuerySupporters.full_filter_expr(current_nonprofit.id, custom_field_params[:query]).select('supporters.id').execute.map { |h| h['id'] }
      else
-        supporter_ids = params[:supporter_ids]. map(&:to_i)
+        supporter_ids = custom_field_params[:supporter_ids]. map(&:to_i)
      end

-      render InsertCustomFieldJoins.in_bulk(current_nonprofit.id, supporter_ids, params[:custom_fields])
+      render InsertCustomFieldJoins.in_bulk(current_nonprofit.id, supporter_ids, custom_field_params[:custom_fields])
    end

    def destroy
-      supporter = current_nonprofit.supporters.find(params[:supporter_id])
-      supporter.custom_field_joins.find(params[:id]).destroy
+      supporter = current_nonprofit.supporters.find(custom_field_params[:supporter_id])
+      supporter.custom_field_joins.find(custom_field_params[:id]).destroy
      render json: {}, status: :ok
    end
+
+    private
+
+    def custom_field_params
+      params.permit(:selecting_all, :supporter_id, :supporter_ids, :custom_fields, :query, :id)
+    end
  end
 end
--- a/app/models/custom_field_join.rb
+++ b/app/models/custom_field_join.rb
@ -2,11 +2,11 @@

 # License: AGPL-3.0-or-later WITH Web-Template-Output-Additional-Permission-3.0-or-later
 class CustomFieldJoin < ApplicationRecord
-  # TODO
-  # attr_accessible \
-  #   :supporter, :supporter_id,
-  #   :custom_field_master, :custom_field_master_id,
-  #   :value
+  # :supporter,
+  # :supporter_id,
+  # :custom_field_master,
+  # :custom_field_master_id,
+  # :value

  validates :custom_field_master, presence: true