From 8e070f55ffc56ede828f8ea49f042763733159ce Mon Sep 17 00:00:00 2001 From: Maikel Linke Date: Thu, 24 Feb 2022 14:46:42 +1100 Subject: [PATCH 1/2] Spec fail on bad enterprise param It looks like some JS component can submit an invalid value here and it causes a server error. --- .../admin/enterprises_controller_spec.rb | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/spec/controllers/admin/enterprises_controller_spec.rb b/spec/controllers/admin/enterprises_controller_spec.rb index 00bd934860..dbcfa16e2f 100644 --- a/spec/controllers/admin/enterprises_controller_spec.rb +++ b/spec/controllers/admin/enterprises_controller_spec.rb @@ -162,6 +162,30 @@ describe Admin::EnterprisesController, type: :controller do expect(distributor.users).to_not include user end + it "updates the contact for notifications" do + allow(controller).to receive_messages spree_current_user: distributor_manager + params = { + id: distributor, + receives_notifications: distributor_manager.id, + } + + expect { spree_post :update, params }. + to change { distributor.contact }.to(distributor_manager) + end + + it "updates the contact for notifications" do + pending "parameter sanitation: https://github.com/openfoodfoundation/openfoodnetwork/issues/8925" + + allow(controller).to receive_messages spree_current_user: distributor_manager + params = { + id: distributor, + receives_notifications: "? object:null ?", + } + + expect { spree_post :update, params }. + to_not change { distributor.contact } + end + it "updates enterprise preferences" do allow(controller).to receive_messages spree_current_user: distributor_manager update_params = { id: distributor, From 8ffe6f6052cf834e0b128c50470b44f06ca98819 Mon Sep 17 00:00:00 2001 From: Maikel Linke Date: Thu, 24 Feb 2022 14:51:23 +1100 Subject: [PATCH 2/2] Sanitise user_id param on enterprise update --- app/controllers/admin/enterprises_controller.rb | 6 ++++-- spec/controllers/admin/enterprises_controller_spec.rb | 2 -- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/app/controllers/admin/enterprises_controller.rb b/app/controllers/admin/enterprises_controller.rb index c2a9460447..c68cbdac7c 100644 --- a/app/controllers/admin/enterprises_controller.rb +++ b/app/controllers/admin/enterprises_controller.rb @@ -234,8 +234,10 @@ module Admin end def update_enterprise_notifications - if params.key? :receives_notifications - @enterprise.update_contact params[:receives_notifications] + user_id = params[:receives_notifications].to_i + + if user_id.positive? && @enterprise.user_ids.include?(user_id) + @enterprise.update_contact(user_id) end end diff --git a/spec/controllers/admin/enterprises_controller_spec.rb b/spec/controllers/admin/enterprises_controller_spec.rb index dbcfa16e2f..48a7b3d1a7 100644 --- a/spec/controllers/admin/enterprises_controller_spec.rb +++ b/spec/controllers/admin/enterprises_controller_spec.rb @@ -174,8 +174,6 @@ describe Admin::EnterprisesController, type: :controller do end it "updates the contact for notifications" do - pending "parameter sanitation: https://github.com/openfoodfoundation/openfoodnetwork/issues/8925" - allow(controller).to receive_messages spree_current_user: distributor_manager params = { id: distributor,