From 254e11aa367c93eb0fb4296b1b717ccc341a0802 Mon Sep 17 00:00:00 2001
From: David Cook <david@redcliffs.net>
Date: Thu, 1 Aug 2024 11:53:50 +1000
Subject: [PATCH] Use whitelist

It wasn't really necessary, but I'm going to need this list in a moment, so we might as well use it.
Also it allows us to ensure the options are listed in a certain order.

Also maybe it will help protect against corrupt preferences.
---
 app/helpers/admin/enterprises_helper.rb                    | 5 +++++
 app/models/connected_app.rb                                | 2 ++
 app/views/admin/enterprises/form/_connected_apps.html.haml | 2 +-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/app/helpers/admin/enterprises_helper.rb b/app/helpers/admin/enterprises_helper.rb
index db415bf3fc..67ed726282 100644
--- a/app/helpers/admin/enterprises_helper.rb
+++ b/app/helpers/admin/enterprises_helper.rb
@@ -39,6 +39,11 @@ module Admin
       )
     end
 
+    def connected_apps_enabled
+      connected_apps_enabled = Spree::Config.connected_apps_enabled&.split(',') || []
+      ConnectedApp::TYPES & connected_apps_enabled
+    end
+
     private
 
     def build_enterprise_side_menu_items(
diff --git a/app/models/connected_app.rb b/app/models/connected_app.rb
index 9c99ba7dcc..966df543b5 100644
--- a/app/models/connected_app.rb
+++ b/app/models/connected_app.rb
@@ -4,6 +4,8 @@
 #
 # Here we store keys and links to access the app.
 class ConnectedApp < ApplicationRecord
+  TYPES = ['discover_regen', 'affiliate_sales_data'].freeze
+
   belongs_to :enterprise
   after_destroy :disconnect
 
diff --git a/app/views/admin/enterprises/form/_connected_apps.html.haml b/app/views/admin/enterprises/form/_connected_apps.html.haml
index c4879001ff..f24c2b34d9 100644
--- a/app/views/admin/enterprises/form/_connected_apps.html.haml
+++ b/app/views/admin/enterprises/form/_connected_apps.html.haml
@@ -1,3 +1,3 @@
-- Spree::Config.connected_apps_enabled&.split(',')&.each do |type|
+- connected_apps_enabled.each do |type|
   = render partial: "/admin/enterprises/form/connected_apps/#{type}",
            locals: { enterprise:, connected_app: enterprise.connected_apps.public_send(type).first }