Fix ForbiddenAttribute errors for bulk update of enterprise fees and order cycles

Example error: As an administrator I want to manage simple order cycles updating many order cycle opening/closing times at once Failure/Error: raise ActiveModel::ForbiddenAttributesError, params.to_s ActiveModel::ForbiddenAttributesError: {"order_cycle_set"=>{"collection_attributes"=>{"0"=>{"id"=>62, "name"=>"Updated Order Cycle 1", "orders_open_at"=>"2040-12-01 12:00:00", "orders_close_at"=>"2040-12-01 12:00:01"}, "1"=>{"id"=>63, "name"=>"Updated Order Cycle 2", "orders_open_at"=>"2040-12-01 12:00:02", "orders_close_at"=>"2040-12-01 12:00:03"}, "2"=>{"id"=>64, "name"=>"Updated Order Cycle 3", "orders_open_at"=>"2040-12-01 12:00:04", "orders_close_at"=>"2040-12-01 12:00:05"}}}, "controller"=>"admin/order_cycles", "action"=>"bulk_update", "format"=>"json", "order_cycle"=>{}} # ./app/controllers/application_controller.rb:20:in `print_params' # ./lib/open_food_network/rack_request_blocker.rb:36:in `call' # ------------------ # --- Caused by: --- # ActiveModel::ForbiddenAttributesError: # ActiveModel::ForbiddenAttributesError # ./app/models/model_set.rb:29:in `block in collection_attributes='
2026-02-17 00:07:24 +00:00 · 2020-11-07 18:00:23 +00:00
parent 642a294844
commit 787f29105c
3 changed files with 29 additions and 6 deletions
--- a/app/controllers/admin/enterprise_fees_controller.rb
+++ b/app/controllers/admin/enterprise_fees_controller.rb
@@ -27,7 +27,7 @@ module Admin
    end

    def bulk_update
-      @enterprise_fee_set = EnterpriseFeeSet.new(params[:enterprise_fee_set])
+      @enterprise_fee_set = EnterpriseFeeSet.new(enterprise_fee_bulk_params)

      if @enterprise_fee_set.save
        redirect_to redirect_path, notice: I18n.t(:enterprise_fees_update_notice)
@@ -78,5 +78,15 @@ module Admin

      main_app.admin_enterprise_fees_path
    end
+
+    def enterprise_fee_bulk_params
+      params.require(:enterprise_fee_set).permit(
+        collection_attributes: [
+          :id, :enterprise_id, :fee_type, :name, :tax_category_id,
+          :inherits_tax_category, :calculator_type,
+          { calculator_attributes: [:id, :preferred_flat_percent] }
+        ]
+      )
+    end
  end
 end
--- a/app/controllers/admin/order_cycles_controller.rb
+++ b/app/controllers/admin/order_cycles_controller.rb
@@ -223,7 +223,7 @@ module Admin
    end

    def order_cycle_set
-      @order_cycle_set ||= OrderCycleSet.new(@order_cycles, params[:order_cycle_set])
+      @order_cycle_set ||= OrderCycleSet.new(@order_cycles, order_cycle_bulk_params)
    end

    def require_order_cycle_set_params
@@ -240,5 +240,11 @@ module Admin
    def order_cycle_params
      PermittedAttributes::OrderCycle.new(params).call
    end
+
+    def order_cycle_bulk_params
+      params.require(:order_cycle_set).permit(
+        collection_attributes: [:id] + PermittedAttributes::OrderCycle.basic_attributes
+      )
+    end
  end
 end
--- a/app/services/permitted_attributes/order_cycle.rb
+++ b/app/services/permitted_attributes/order_cycle.rb
@@ -9,17 +9,24 @@ module PermittedAttributes
    def call
      return @params[:order_cycle] if @params[:order_cycle].blank?

-      @params.require(:order_cycle).permit(
+      @params.require(:order_cycle).permit(attributes)
+    end
+
+    def self.basic_attributes
+      [
        :name, :orders_open_at, :orders_close_at, :coordinator_id,
        :preferred_product_selection_from_coordinator_inventory_only,
-        incoming_exchanges: permitted_exchange_attributes,
-        outgoing_exchanges: permitted_exchange_attributes,
        schedule_ids: [], coordinator_fee_ids: []
-      )
+      ]
    end

    private

+    def attributes
+      self.class.basic_attributes + [incoming_exchanges: permitted_exchange_attributes,
+                                     outgoing_exchanges: permitted_exchange_attributes]
+    end
+
    def permitted_exchange_attributes
      [
        :id, :sender_id, :receiver_id, :enterprise_id, :incoming, :active,