From 65bd361b3f048d50710f3ef7a1b9689d4b57f535 Mon Sep 17 00:00:00 2001
From: Luis Castro <luiscastroem@gmail.com>
Date: Tue, 6 Aug 2019 14:49:08 +0200
Subject: [PATCH] feat(custom_field_join): add strong params

Using permit with a limited list of params
---
 .../custom_field_joins_controller.rb          | 22 ++++++++++++-------
 app/models/custom_field_join.rb               | 10 ++++-----
 2 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/app/controllers/nonprofits/custom_field_joins_controller.rb b/app/controllers/nonprofits/custom_field_joins_controller.rb
index 1cf26ea8..22b4a943 100644
--- a/app/controllers/nonprofits/custom_field_joins_controller.rb
+++ b/app/controllers/nonprofits/custom_field_joins_controller.rb
@@ -8,7 +8,7 @@ module Nonprofits
 
     def index
       @custom_field_joins = current_nonprofit
-                            .supporters.find(params[:supporter_id])
+                            .supporters.find(custom_field_params[:supporter_id])
                             .custom_field_joins
                             .order('created_at DESC')
     end
@@ -16,24 +16,30 @@ module Nonprofits
     # used for modify a single supporter's custom fields or a group of
     # selected supporters' CFs or all supporters' CFs
     def modify
-      if params[:custom_fields].blank? || params[:custom_fields].empty?
+      if custom_field_params[:custom_fields].blank? || custom_field_params[:custom_fields].empty?
         render json: {}
         return
       end
 
-      if params[:selecting_all]
-        supporter_ids = QuerySupporters.full_filter_expr(current_nonprofit.id, params[:query]).select('supporters.id').execute.map { |h| h['id'] }
+      if custom_field_params[:selecting_all]
+        supporter_ids = QuerySupporters.full_filter_expr(current_nonprofit.id, custom_field_params[:query]).select('supporters.id').execute.map { |h| h['id'] }
       else
-        supporter_ids = params[:supporter_ids]. map(&:to_i)
+        supporter_ids = custom_field_params[:supporter_ids]. map(&:to_i)
       end
 
-      render InsertCustomFieldJoins.in_bulk(current_nonprofit.id, supporter_ids, params[:custom_fields])
+      render InsertCustomFieldJoins.in_bulk(current_nonprofit.id, supporter_ids, custom_field_params[:custom_fields])
     end
 
     def destroy
-      supporter = current_nonprofit.supporters.find(params[:supporter_id])
-      supporter.custom_field_joins.find(params[:id]).destroy
+      supporter = current_nonprofit.supporters.find(custom_field_params[:supporter_id])
+      supporter.custom_field_joins.find(custom_field_params[:id]).destroy
       render json: {}, status: :ok
     end
+
+    private
+
+    def custom_field_params
+      params.permit(:selecting_all, :supporter_id, :supporter_ids, :custom_fields, :query, :id)
+    end
   end
 end
diff --git a/app/models/custom_field_join.rb b/app/models/custom_field_join.rb
index fcd27739..e304c262 100644
--- a/app/models/custom_field_join.rb
+++ b/app/models/custom_field_join.rb
@@ -2,11 +2,11 @@
 
 # License: AGPL-3.0-or-later WITH Web-Template-Output-Additional-Permission-3.0-or-later
 class CustomFieldJoin < ApplicationRecord
-  # TODO
-  # attr_accessible \
-  #   :supporter, :supporter_id,
-  #   :custom_field_master, :custom_field_master_id,
-  #   :value
+  # :supporter,
+  # :supporter_id,
+  # :custom_field_master,
+  # :custom_field_master_id,
+  # :value
 
   validates :custom_field_master, presence: true