Merge pull request #5038 from luisramos0/strong_params_prod

[Spree 2.1] Implement strong params in products, variants, variant_overrides and resource controllers
2026-01-26 20:56:48 +00:00 · 2020-03-25 18:35:58 +01:00
parent 95ba1fd02c 478f885b26
commit 0cc5cbd1d2
6 changed files with 73 additions and 4 deletions
--- a/app/controllers/admin/variant_overrides_controller.rb
+++ b/app/controllers/admin/variant_overrides_controller.rb
@@ -68,7 +68,7 @@ module Admin
    end

    def load_collection
-      collection_hash = Hash[params[:variant_overrides].each_with_index.map { |vo, i| [i, vo] }]
+      collection_hash = Hash[variant_overrides_params.each_with_index.map { |vo, i| [i, vo] }]
      @vo_set = VariantOverrideSet.new @variant_overrides, collection_attributes: collection_hash
    end

@@ -92,5 +92,15 @@ module Admin
      full_messages.each { |fm| errors.add(:base, fm) }
      errors
    end
+
+    def variant_overrides_params
+      params.require(:variant_overrides).map do |variant_override|
+        variant_override.permit(
+          :id, :variant_id, :hub_id,
+          :price, :count_on_hand, :sku, :on_demand,
+          :default_stock, :resettable, :tag_list
+        )
+      end
+    end
  end
 end
--- a/app/controllers/spree/admin/products_controller.rb
+++ b/app/controllers/spree/admin/products_controller.rb
@@ -160,10 +160,22 @@ module Spree
      private

      def product_set_from_params(params)
-        collection_hash = Hash[params[:products].each_with_index.map { |p, i| [i, p] }]
+        collection_hash = Hash[products_params.each_with_index.map { |p, i| [i, p] }]
        Spree::ProductSet.new(collection_attributes: collection_hash)
      end

+      def products_params
+        params.require(:products).map do |product|
+          product.permit(::PermittedAttributes::Product.attributes)
+        end
+      end
+
+      def permitted_resource_params
+        return params[:product] if params[:product].empty?
+
+        params.require(:product).permit(::PermittedAttributes::Product.attributes)
+      end
+
      def bulk_index_query(params)
        params[:filters].to_h.merge(page: params[:page], per_page: params[:per_page])
      end
--- a/app/controllers/spree/admin/resource_controller.rb
+++ b/app/controllers/spree/admin/resource_controller.rb
@@ -28,7 +28,7 @@ module Spree

      def update
        invoke_callbacks(:update, :before)
-        if @object.update_attributes(params[object_name])
+        if @object.update_attributes(permitted_resource_params)
          invoke_callbacks(:update, :after)
          flash[:success] = flash_message_for(@object, :successfully_updated)
          respond_with(@object) do |format|
@@ -43,7 +43,7 @@ module Spree

      def create
        invoke_callbacks(:create, :before)
-        @object.attributes = params[object_name]
+        @object.attributes = permitted_resource_params
        if @object.save
          invoke_callbacks(:create, :after)
          flash[:success] = flash_message_for(@object, :successfully_created)
@@ -251,6 +251,13 @@ module Spree
        end
      end

+      # Permit specific list of params
+      #
+      # Example: params.require(object_name).permit(:name)
+      def permitted_resource_params
+        raise "All extending controllers need to override the method permitted_resource_params"
+      end
+
      def collection_url(options = {})
        if parent_data.present?
          spree.polymorphic_url([:admin, parent, model_class], options)
--- a/app/controllers/spree/admin/variants_controller.rb
+++ b/app/controllers/spree/admin/variants_controller.rb
@@ -63,6 +63,14 @@ module Spree
                        end
        @collection
      end
+
+      def variant_params
+        params.require(:variant).permit(::PermittedAttributes::Variant.attributes)
+      end
+
+      def permitted_resource_params
+        variant_params
+      end
    end
  end
 end
--- a/app/services/permitted_attributes/product.rb
+++ b/app/services/permitted_attributes/product.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module PermittedAttributes
+  class Product
+    def self.attributes
+      [
+        :id, :name, :description, :supplier_id, :price, :cost_price, :permalink,
+        :variant_unit, :variant_unit_scale, :unit_value, :unit_description, :variant_unit_name,
+        :display_as, :sku, :available_on, :group_buy, :group_buy_unit_size,
+        :taxon_ids, :primary_taxon_id, :tax_category_id, :shipping_category_id,
+        :meta_keywords, :meta_description, :notes, :inherits_properties,
+        product_properties_attributes: [:id, :property_name, :value],
+        variants_attributes: [PermittedAttributes::Variant.attributes],
+        images_attributes: [:attachment]
+      ]
+    end
+  end
+end
--- a/app/services/permitted_attributes/variant.rb
+++ b/app/services/permitted_attributes/variant.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module PermittedAttributes
+  class Variant
+    def self.attributes
+      [
+        :id, :sku, :on_hand, :on_demand,
+        :cost_price, :price, :unit_value, :unit_description,
+        :display_name, :display_as,
+        :weight, :height, :width, :depth
+      ]
+    end
+  end
+end