From c110f4832d575248620388eb6d8af335da996beb Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Sun, 23 Feb 2020 12:49:39 +0000 Subject: [PATCH 01/12] Handle strong params in spree/admin/products_controller --- app/controllers/spree/admin/products_controller.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/app/controllers/spree/admin/products_controller.rb b/app/controllers/spree/admin/products_controller.rb index 0b18072869..ae085d2b11 100644 --- a/app/controllers/spree/admin/products_controller.rb +++ b/app/controllers/spree/admin/products_controller.rb @@ -160,10 +160,16 @@ module Spree private def product_set_from_params(params) - collection_hash = Hash[params[:products].each_with_index.map { |p, i| [i, p] }] + collection_hash = Hash[products_params.each_with_index.map { |p, i| [i, p] }] Spree::ProductSet.new(collection_attributes: collection_hash) end + def products_params + params.require(:products).map do |product| + ActionController::Parameters.new(product.to_hash).permit(:id, :name) + end + end + def bulk_index_query(params) params[:filters].to_h.merge(page: params[:page], per_page: params[:per_page]) end From 5b37e8973817a4407ba3c64857667e5089ca8f23 Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Sun, 23 Feb 2020 16:11:42 +0000 Subject: [PATCH 02/12] Handle strong params in variant_overrides_controller We use a simpler way to permit on array within params here and change products_controller to the same style --- app/controllers/admin/variant_overrides_controller.rb | 8 +++++++- app/controllers/spree/admin/products_controller.rb | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/app/controllers/admin/variant_overrides_controller.rb b/app/controllers/admin/variant_overrides_controller.rb index 41c95a4451..adeb8747e5 100644 --- a/app/controllers/admin/variant_overrides_controller.rb +++ b/app/controllers/admin/variant_overrides_controller.rb @@ -68,7 +68,7 @@ module Admin end def load_collection - collection_hash = Hash[params[:variant_overrides].each_with_index.map { |vo, i| [i, vo] }] + collection_hash = Hash[variant_overrides_params.each_with_index.map { |vo, i| [i, vo] }] @vo_set = VariantOverrideSet.new @variant_overrides, collection_attributes: collection_hash end @@ -92,5 +92,11 @@ module Admin full_messages.each { |fm| errors.add(:base, fm) } errors end + + def variant_overrides_params + params.require(:variant_overrides).map do |variant_override| + variant_override.permit(:id, :price, :count_on_hand, :sku, :on_demand) + end + end end end diff --git a/app/controllers/spree/admin/products_controller.rb b/app/controllers/spree/admin/products_controller.rb index ae085d2b11..5bd268ab27 100644 --- a/app/controllers/spree/admin/products_controller.rb +++ b/app/controllers/spree/admin/products_controller.rb @@ -166,7 +166,7 @@ module Spree def products_params params.require(:products).map do |product| - ActionController::Parameters.new(product.to_hash).permit(:id, :name) + product.permit(:id, :name) end end From 0151b5ee9a70d1bca6f5f81da22e2bc232fa08e0 Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Tue, 25 Feb 2020 19:49:34 +0000 Subject: [PATCH 03/12] Permit extra needed params in variant overrides controller --- app/controllers/admin/variant_overrides_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/admin/variant_overrides_controller.rb b/app/controllers/admin/variant_overrides_controller.rb index adeb8747e5..0ad742ddbf 100644 --- a/app/controllers/admin/variant_overrides_controller.rb +++ b/app/controllers/admin/variant_overrides_controller.rb @@ -95,7 +95,7 @@ module Admin def variant_overrides_params params.require(:variant_overrides).map do |variant_override| - variant_override.permit(:id, :price, :count_on_hand, :sku, :on_demand) + variant_override.permit(:id, :price, :count_on_hand, :sku, :on_demand, :variant_id, :hub_id) end end end From 7320b38b93d5cb09dc0df323b36a8648d22fcc0c Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Thu, 5 Mar 2020 16:05:33 +0000 Subject: [PATCH 04/12] Add missing attributes to variant override controller --- app/controllers/admin/variant_overrides_controller.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/app/controllers/admin/variant_overrides_controller.rb b/app/controllers/admin/variant_overrides_controller.rb index 0ad742ddbf..bfb58a1ed7 100644 --- a/app/controllers/admin/variant_overrides_controller.rb +++ b/app/controllers/admin/variant_overrides_controller.rb @@ -95,7 +95,11 @@ module Admin def variant_overrides_params params.require(:variant_overrides).map do |variant_override| - variant_override.permit(:id, :price, :count_on_hand, :sku, :on_demand, :variant_id, :hub_id) + variant_override.permit( + :id, :variant_id, :hub_id, + :price, :count_on_hand, :sku, :on_demand, + :default_stock, :resettable + ) end end end From a261ae118dc9ea2b1f7bb310d52d4d8908f997db Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Fri, 6 Mar 2020 15:17:50 +0000 Subject: [PATCH 05/12] Add missing permitted attributes to variant overrides controller --- app/controllers/admin/variant_overrides_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/admin/variant_overrides_controller.rb b/app/controllers/admin/variant_overrides_controller.rb index bfb58a1ed7..3530b3648f 100644 --- a/app/controllers/admin/variant_overrides_controller.rb +++ b/app/controllers/admin/variant_overrides_controller.rb @@ -98,7 +98,7 @@ module Admin variant_override.permit( :id, :variant_id, :hub_id, :price, :count_on_hand, :sku, :on_demand, - :default_stock, :resettable + :default_stock, :resettable, :tag_list ) end end From b5cdcdf8cb446ea082363901bd7c7157594db7e6 Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Tue, 25 Feb 2020 17:44:07 +0000 Subject: [PATCH 06/12] Permit specific params in products controller --- .../spree/admin/products_controller.rb | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/app/controllers/spree/admin/products_controller.rb b/app/controllers/spree/admin/products_controller.rb index 5bd268ab27..a799336761 100644 --- a/app/controllers/spree/admin/products_controller.rb +++ b/app/controllers/spree/admin/products_controller.rb @@ -166,10 +166,26 @@ module Spree def products_params params.require(:products).map do |product| - product.permit(:id, :name) + product.permit(permitted_product_attributes) end end + def permitted_resource_params + params.require(:product).permit(permitted_product_attributes) + end + + def permitted_product_attributes + [ + :id, :name, :description, :supplier_id, :price, :permalink, + :variant_unit, :variant_unit_scale, :unit_value, :unit_description, + :display_as, :variant_unit_name, + :taxon_ids, :primary_taxon_id, :tax_category_id, :shipping_category_id, + :group_buy, :group_buy_unit_size, + :meta_keywords, :meta_description, :notes, + :inherits_properties, product_properties_attributes: [:id, :property_name, :value] + ] + end + def bulk_index_query(params) params[:filters].to_h.merge(page: params[:page], per_page: params[:per_page]) end From 36389b7bed1f134574c4c0142e4e06c9793fe83e Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Mon, 2 Mar 2020 14:04:53 +0000 Subject: [PATCH 07/12] Add missing permitted attributes to bulk_product_update controller --- app/controllers/spree/admin/products_controller.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/app/controllers/spree/admin/products_controller.rb b/app/controllers/spree/admin/products_controller.rb index a799336761..56d0b22902 100644 --- a/app/controllers/spree/admin/products_controller.rb +++ b/app/controllers/spree/admin/products_controller.rb @@ -178,11 +178,13 @@ module Spree [ :id, :name, :description, :supplier_id, :price, :permalink, :variant_unit, :variant_unit_scale, :unit_value, :unit_description, - :display_as, :variant_unit_name, + :display_as, :variant_unit_name, :sku, :available_on, :taxon_ids, :primary_taxon_id, :tax_category_id, :shipping_category_id, :group_buy, :group_buy_unit_size, :meta_keywords, :meta_description, :notes, - :inherits_properties, product_properties_attributes: [:id, :property_name, :value] + :inherits_properties, + product_properties_attributes: [:id, :property_name, :value], + variants_attributes: [:id, :sku, :on_hand, :price, :unit_value, :unit_description, :display_name, :display_as] ] end From 527f6cb624bd59ff46c137e22edcecee9eca9599 Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Tue, 3 Mar 2020 18:22:48 +0000 Subject: [PATCH 08/12] Add necessary attributes to admin/products_controller and handle empty params case --- app/controllers/spree/admin/products_controller.rb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/app/controllers/spree/admin/products_controller.rb b/app/controllers/spree/admin/products_controller.rb index 56d0b22902..1856aeac2a 100644 --- a/app/controllers/spree/admin/products_controller.rb +++ b/app/controllers/spree/admin/products_controller.rb @@ -171,12 +171,14 @@ module Spree end def permitted_resource_params + return params[:product] if params[:product].empty? + params.require(:product).permit(permitted_product_attributes) end def permitted_product_attributes [ - :id, :name, :description, :supplier_id, :price, :permalink, + :id, :name, :description, :supplier_id, :price, :cost_price, :permalink, :variant_unit, :variant_unit_scale, :unit_value, :unit_description, :display_as, :variant_unit_name, :sku, :available_on, :taxon_ids, :primary_taxon_id, :tax_category_id, :shipping_category_id, @@ -184,7 +186,8 @@ module Spree :meta_keywords, :meta_description, :notes, :inherits_properties, product_properties_attributes: [:id, :property_name, :value], - variants_attributes: [:id, :sku, :on_hand, :price, :unit_value, :unit_description, :display_name, :display_as] + variants_attributes: [:id, :sku, :on_hand, :price, :unit_value, :unit_description, :display_name, :display_as], + images_attributes: [:attachment] ] end From 49a252230594525848a9e1777fc7a025f346f1df Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Tue, 25 Feb 2020 18:46:23 +0000 Subject: [PATCH 09/12] Permit specific params in variants controller --- app/controllers/spree/admin/variants_controller.rb | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/app/controllers/spree/admin/variants_controller.rb b/app/controllers/spree/admin/variants_controller.rb index 0045ef591c..11feb4b4c3 100644 --- a/app/controllers/spree/admin/variants_controller.rb +++ b/app/controllers/spree/admin/variants_controller.rb @@ -63,6 +63,19 @@ module Spree end @collection end + + def variant_params + params.require(:variant).permit( + :display_name, :display_as, :unit_value, :unit_description, + :sku, :price, :cost_price, + :weight, :height, :width, :depth, + :on_demand, :on_hand + ) + end + + def permitted_resource_params + variant_params + end end end end From 58a2805bc9216701bd8db8720eadfa1ffceff7b0 Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Tue, 25 Feb 2020 15:23:49 +0000 Subject: [PATCH 10/12] Make resource controller raise error if permitted_resource_params is not overriden --- app/controllers/spree/admin/resource_controller.rb | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/app/controllers/spree/admin/resource_controller.rb b/app/controllers/spree/admin/resource_controller.rb index d1ce6e8b27..8b7c0cde12 100644 --- a/app/controllers/spree/admin/resource_controller.rb +++ b/app/controllers/spree/admin/resource_controller.rb @@ -28,7 +28,7 @@ module Spree def update invoke_callbacks(:update, :before) - if @object.update_attributes(params[object_name]) + if @object.update_attributes(permitted_resource_params) invoke_callbacks(:update, :after) flash[:success] = flash_message_for(@object, :successfully_updated) respond_with(@object) do |format| @@ -43,7 +43,7 @@ module Spree def create invoke_callbacks(:create, :before) - @object.attributes = params[object_name] + @object.attributes = permitted_resource_params if @object.save invoke_callbacks(:create, :after) flash[:success] = flash_message_for(@object, :successfully_created) @@ -251,6 +251,13 @@ module Spree end end + # Permit specific list of params + # + # Example: params.require(object_name).permit(:name) + def permitted_resource_params + raise "All extending controllers need to override the method permitted_resource_params" + end + def collection_url(options = {}) if parent_data.present? spree.polymorphic_url([:admin, parent, model_class], options) From 244499a27d6345c02b27912165fad8632e394734 Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Sat, 21 Mar 2020 19:30:03 +0000 Subject: [PATCH 11/12] Extract permitted atttributes to specific classes --- .../spree/admin/products_controller.rb | 19 ++----------------- .../spree/admin/variants_controller.rb | 7 +------ app/services/permitted_attributes/product.rb | 18 ++++++++++++++++++ app/services/permitted_attributes/variant.rb | 14 ++++++++++++++ 4 files changed, 35 insertions(+), 23 deletions(-) create mode 100644 app/services/permitted_attributes/product.rb create mode 100644 app/services/permitted_attributes/variant.rb diff --git a/app/controllers/spree/admin/products_controller.rb b/app/controllers/spree/admin/products_controller.rb index 1856aeac2a..fe727ac77e 100644 --- a/app/controllers/spree/admin/products_controller.rb +++ b/app/controllers/spree/admin/products_controller.rb @@ -166,29 +166,14 @@ module Spree def products_params params.require(:products).map do |product| - product.permit(permitted_product_attributes) + product.permit(::PermittedAttributes::Product.attributes) end end def permitted_resource_params return params[:product] if params[:product].empty? - params.require(:product).permit(permitted_product_attributes) - end - - def permitted_product_attributes - [ - :id, :name, :description, :supplier_id, :price, :cost_price, :permalink, - :variant_unit, :variant_unit_scale, :unit_value, :unit_description, - :display_as, :variant_unit_name, :sku, :available_on, - :taxon_ids, :primary_taxon_id, :tax_category_id, :shipping_category_id, - :group_buy, :group_buy_unit_size, - :meta_keywords, :meta_description, :notes, - :inherits_properties, - product_properties_attributes: [:id, :property_name, :value], - variants_attributes: [:id, :sku, :on_hand, :price, :unit_value, :unit_description, :display_name, :display_as], - images_attributes: [:attachment] - ] + params.require(:product).permit(::PermittedAttributes::Product.attributes) end def bulk_index_query(params) diff --git a/app/controllers/spree/admin/variants_controller.rb b/app/controllers/spree/admin/variants_controller.rb index 11feb4b4c3..fc66683906 100644 --- a/app/controllers/spree/admin/variants_controller.rb +++ b/app/controllers/spree/admin/variants_controller.rb @@ -65,12 +65,7 @@ module Spree end def variant_params - params.require(:variant).permit( - :display_name, :display_as, :unit_value, :unit_description, - :sku, :price, :cost_price, - :weight, :height, :width, :depth, - :on_demand, :on_hand - ) + params.require(:variant).permit(PermittedAttributes::Variant.attributes) end def permitted_resource_params diff --git a/app/services/permitted_attributes/product.rb b/app/services/permitted_attributes/product.rb new file mode 100644 index 0000000000..13ff8d56ef --- /dev/null +++ b/app/services/permitted_attributes/product.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +module PermittedAttributes + class Product + def self.attributes + [ + :id, :name, :description, :supplier_id, :price, :cost_price, :permalink, + :variant_unit, :variant_unit_scale, :unit_value, :unit_description, :variant_unit_name, + :display_as, :sku, :available_on, :group_buy, :group_buy_unit_size, + :taxon_ids, :primary_taxon_id, :tax_category_id, :shipping_category_id, + :meta_keywords, :meta_description, :notes, :inherits_properties, + product_properties_attributes: [:id, :property_name, :value], + variants_attributes: [PermittedAttributes::Variant.attributes], + images_attributes: [:attachment] + ] + end + end +end diff --git a/app/services/permitted_attributes/variant.rb b/app/services/permitted_attributes/variant.rb new file mode 100644 index 0000000000..a04928af0d --- /dev/null +++ b/app/services/permitted_attributes/variant.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +module PermittedAttributes + class Variant + def self.attributes + [ + :id, :sku, :on_hand, :on_demand, + :cost_price, :price, :unit_value, :unit_description, + :display_name, :display_as, + :weight, :height, :width, :depth + ] + end + end +end From 478f885b26b9072518f50476d66a8e7f5922ae18 Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Sat, 21 Mar 2020 22:35:12 +0000 Subject: [PATCH 12/12] Fix problem in PermittedAttributes::Variant namespace --- app/controllers/spree/admin/variants_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/spree/admin/variants_controller.rb b/app/controllers/spree/admin/variants_controller.rb index fc66683906..b4e4ff5f55 100644 --- a/app/controllers/spree/admin/variants_controller.rb +++ b/app/controllers/spree/admin/variants_controller.rb @@ -65,7 +65,7 @@ module Spree end def variant_params - params.require(:variant).permit(PermittedAttributes::Variant.attributes) + params.require(:variant).permit(::PermittedAttributes::Variant.attributes) end def permitted_resource_params