From b16b7d7b58d47097c9dd996736524dfc6c617cd7 Mon Sep 17 00:00:00 2001
From: Luis Castro <luiscastroem@gmail.com>
Date: Tue, 6 Aug 2019 16:06:02 +0200
Subject: [PATCH] feat(donations): add strong params

---
 .../nonprofits/donations_controller.rb        | 22 +++++++-----
 app/models/donation.rb                        | 36 +++++++++----------
 2 files changed, 31 insertions(+), 27 deletions(-)

diff --git a/app/controllers/nonprofits/donations_controller.rb b/app/controllers/nonprofits/donations_controller.rb
index 99b9cf27..79b34459 100644
--- a/app/controllers/nonprofits/donations_controller.rb
+++ b/app/controllers/nonprofits/donations_controller.rb
@@ -16,10 +16,10 @@ module Nonprofits
     # post /nonprofits/:nonprofit_id/donations
     def create
       if params[:token]
-        params[:donation][:token] = params[:token]
-        render_json { InsertDonation.with_stripe(params[:donation], current_user) }
+        donations_params[:token] = params[:token]
+        render_json { InsertDonation.with_stripe(donations_params, current_user) }
       elsif params[:direct_debit_detail_id]
-        render JsonResp.new(params[:donation]) do |_data|
+        render JsonResp.new(donations_params) do |_data|
           requires(:amount).as_int
           requires(:supporter_id, :nonprofit_id)
           # TODO
@@ -35,7 +35,7 @@ module Nonprofits
 
     # post /nonprofits/:nonprofit_id/donations/create_offsite
     def create_offsite
-      render JsonResp.new(params[:donation]) do |_data|
+      render JsonResp.new(donations_params) do |_data|
         requires(:amount).as_int.min(1)
         requires(:supporter_id, :nonprofit_id).as_int
         optional(:dedication, :designation).as_string
@@ -49,7 +49,7 @@ module Nonprofits
     end
 
     def update
-      render_json { UpdateDonation.update_payment(params[:id], params[:donation]) }
+      render_json { UpdateDonation.update_payment(params[:id], donations_params) }
     end
 
     # put /nonprofits/:nonprofit_id/donations/:id
@@ -57,15 +57,15 @@ module Nonprofits
     def followup
       nonprofit = Nonprofit.find(params[:nonprofit_id])
       donation = nonprofit.donations.find(params[:id])
-      json_saved UpdateDonation.from_followup(donation, params[:donation])
+      json_saved UpdateDonation.from_followup(donation, donations_params)
     end
 
     # this is a special, weird case
     private
 
     def current_campaign
-      if !@campaign && params[:donation] && params[:donation][:campaign_id]
-        @campaign = Campaign.where('id = ? ', params[:donation][:campaign_id]).first
+      if !@campaign && donations_params && donations_params[:campaign_id]
+        @campaign = Campaign.where('id = ? ', donations_params[:campaign_id]).first
       end
       @campaign
     end
@@ -79,5 +79,11 @@ module Nonprofits
         block_with_sign_in 'You need to be a campaign editor to do that.'
       end
     end
+
+    private
+
+    def donations_params
+      params.require(:donation).permit(:date, :amount, :recurring, :anonymous, :email, :designation, :dedication, :comment, :origin_url, :nonprofit_id, :card_id, :supporter_id, :profile_id, :campaign_id, :payment_id, :event_id, :direct_debit_detail_id, :payment_provider)
+    end
   end
 end
diff --git a/app/models/donation.rb b/app/models/donation.rb
index d5b77719..501e2d86 100644
--- a/app/models/donation.rb
+++ b/app/models/donation.rb
@@ -2,25 +2,23 @@
 
 # License: AGPL-3.0-or-later WITH Web-Template-Output-Additional-Permission-3.0-or-later
 class Donation < ApplicationRecord
-  # TODO
-  # attr_accessible \
-  #   :date, # datetime (when this donation was made)
-  #   :amount, # int (in cents)
-  #   :recurring, # bool
-  #   :anonymous, # bool
-  #   :email, # str (cached email of the donor)
-  #   :designation, # text
-  #   :dedication, # text
-  #   :comment, # text
-  #   :origin_url, # text
-  #   :nonprofit_id, :nonprofit,
-  #   :card_id, :card, # Card with which any charges were made
-  #   :supporter_id, :supporter,
-  #   :profile_id, :profile,
-  #   :campaign_id, :campaign,
-  #   :payment_id, :payment,
-  #   :event_id, :event,
-  #   :direct_debit_detail_id, :direct_debit_detail,
+  # :date, # datetime (when this donation was made)
+  # :amount, # int (in cents)
+  # :recurring, # bool
+  # :anonymous, # bool
+  # :email, # str (cached email of the donor)
+  # :designation, # text
+  # :dedication, # text
+  # :comment, # text
+  # :origin_url, # text
+  # :nonprofit_id, :nonprofit,
+  # :card_id, :card, # Card with which any charges were made
+  # :supporter_id, :supporter,
+  # :profile_id, :profile,
+  # :campaign_id, :campaign,
+  # :payment_id, :payment,
+  # :event_id, :event,
+  # :direct_debit_detail_id, :direct_debit_detail,
   # :payment_provider
 
   validates :amount, presence: true, numericality: { only_integer: true }