Whitelist params for several settings for Rails 5

Rails 5 is a bit stricter and Spree's Config#set method doesn't work with a Parameters object.
2026-03-01 02:03:22 +00:00 · 2021-02-19 11:34:28 +11:00
parent c47902d932
commit 5b94049620
7 changed files with 163 additions and 4 deletions
--- a/app/controllers/admin/invoice_settings_controller.rb
+++ b/app/controllers/admin/invoice_settings_controller.rb
@@ -1,7 +1,7 @@
 module Admin
  class InvoiceSettingsController < Spree::Admin::BaseController
    def update
-      Spree::Config.set(params[:preferences])
+      Spree::Config.set(preferences_params.to_h)

      respond_to do |format|
        format.html {
@@ -9,5 +9,15 @@ module Admin
        }
      end
    end
+
+    private
+
+    def preferences_params
+      params.require(:preferences).permit(
+        :enable_invoices?,
+        :invoice_style2?,
+        :enable_receipt_printing?,
+      )
+    end
  end
 end
--- a/app/controllers/admin/matomo_settings_controller.rb
+++ b/app/controllers/admin/matomo_settings_controller.rb
@@ -1,7 +1,7 @@
 module Admin
  class MatomoSettingsController < Spree::Admin::BaseController
    def update
-      Spree::Config.set(params[:preferences])
+      Spree::Config.set(preferences_params.to_h)

      respond_to do |format|
        format.html {
@@ -9,5 +9,15 @@ module Admin
        }
      end
    end
+
+    private
+
+    def preferences_params
+      params.require(:preferences).permit(
+        :matomo_url,
+        :matomo_site_id,
+        :matomo_tag_manager_url,
+      )
+    end
  end
 end
--- a/app/controllers/admin/stripe_connect_settings_controller.rb
+++ b/app/controllers/admin/stripe_connect_settings_controller.rb
@@ -17,7 +17,7 @@ module Admin
    end

    def update
-      Spree::Config.set(params[:settings])
+      Spree::Config.set(settings_params.to_h)
      resource = t('admin.controllers.stripe_connect_settings.resource')
      flash[:success] = t(:successfully_updated, resource: resource)
      redirect_to_edit
@@ -37,5 +37,11 @@ module Admin
      key = Stripe.api_key
      key.first(8) + "****" + key.last(4)
    end
+
+    def settings_params
+      params.require(:settings).permit(
+        :stripe_connect_enabled,
+      )
+    end
  end
 end
--- a/app/controllers/spree/admin/tax_settings_controller.rb
+++ b/app/controllers/spree/admin/tax_settings_controller.rb
@@ -2,7 +2,7 @@ module Spree
  module Admin
    class TaxSettingsController < Spree::Admin::BaseController
      def update
-        Spree::Config.set(params[:preferences])
+        Spree::Config.set(preferences_params.to_h)

        respond_to do |format|
          format.html {
@@ -10,6 +10,16 @@ module Spree
          }
        end
      end
+
+      private
+
+      def preferences_params
+        params.require(:preferences).permit(
+          :products_require_tax_category,
+          :shipment_inc_vat,
+          :shipping_tax_rate,
+        )
+      end
    end
  end
 end
--- a/spec/controllers/admin/invoice_settings_controller_spec.rb
+++ b/spec/controllers/admin/invoice_settings_controller_spec.rb
@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Admin::InvoiceSettingsController, type: :controller do
+  describe "#update" do
+    let(:params) {
+      {
+        preferences: {
+          enable_invoices?: 0,
+          invoice_style2?: 1,
+          enable_receipt_printing?: 1,
+        }
+      }
+    }
+
+    before do
+      allow(controller).to receive(:spree_current_user) { create(:admin_user) }
+    end
+
+    it "disables invoices" do
+      expect {
+        post :update, params
+      }.to change {
+        Spree::Config[:enable_invoices?]
+      }.to(false)
+    end
+
+    it "changes the invoice style" do
+      expect {
+        post :update, params
+      }.to change {
+        Spree::Config[:invoice_style2?]
+      }.to(true)
+    end
+
+    it "disables receipt printing" do
+      expect {
+        post :update, params
+      }.to change {
+        Spree::Config[:enable_receipt_printing?]
+      }.to(true)
+    end
+  end
+end
--- a/spec/controllers/admin/matomo_settings_controller_spec.rb
+++ b/spec/controllers/admin/matomo_settings_controller_spec.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Admin::MatomoSettingsController, type: :controller do
+  describe "#update" do
+    let(:params) {
+      {
+        preferences: {
+          matomo_url: "test url",
+          matomo_site_id: "42",
+          matomo_tag_manager_url: "test manager url",
+        }
+      }
+    }
+
+    before do
+      allow(controller).to receive(:spree_current_user) { create(:admin_user) }
+    end
+
+    it "changes Matomo settings" do
+      expect {
+        post :update, params
+      }.to change {
+        [
+          Spree::Config[:matomo_url],
+          Spree::Config[:matomo_site_id],
+          Spree::Config[:matomo_tag_manager_url],
+        ]
+      }.to(
+        [
+          "test url",
+          "42",
+          "test manager url",
+        ]
+      )
+    end
+  end
+end
--- a/spec/controllers/spree/admin/tax_settings_controller_spec.rb
+++ b/spec/controllers/spree/admin/tax_settings_controller_spec.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Spree::Admin::TaxSettingsController, type: :controller do
+  describe "#update" do
+    let(:params) {
+      {
+        preferences: {
+          products_require_tax_category: "1",
+          shipment_inc_vat: "0",
+          shipping_tax_rate: "0.1",
+        }
+      }
+    }
+
+    before do
+      allow(controller).to receive(:spree_current_user) { create(:admin_user) }
+    end
+
+    it "changes Tax settings" do
+      expect {
+        spree_post :update, params
+      }.to change {
+        [
+          Spree::Config[:products_require_tax_category],
+          Spree::Config[:shipment_inc_vat],
+          Spree::Config[:shipping_tax_rate],
+        ]
+      }.to(
+        [
+          true,
+          false,
+          0.1,
+        ]
+      )
+    end
+  end
+end