From 787f29105ca501474576340c2cb3791ffb6c65d0 Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com>
Date: Sat, 7 Nov 2020 18:00:23 +0000
Subject: [PATCH] Fix ForbiddenAttribute errors for bulk update of enterprise
 fees and order cycles

Example error:
As an administrator
    I want to manage simple order cycles
 updating many order cycle opening/closing times at once
     Failure/Error: raise ActiveModel::ForbiddenAttributesError, params.to_s

     ActiveModel::ForbiddenAttributesError:
       {"order_cycle_set"=>{"collection_attributes"=>{"0"=>{"id"=>62, "name"=>"Updated Order Cycle 1", "orders_open_at"=>"2040-12-01 12:00:00", "orders_close_at"=>"2040-12-01 12:00:01"}, "1"=>{"id"=>63, "name"=>"Updated Order Cycle 2", "orders_open_at"=>"2040-12-01 12:00:02", "orders_close_at"=>"2040-12-01 12:00:03"}, "2"=>{"id"=>64, "name"=>"Updated Order Cycle 3", "orders_open_at"=>"2040-12-01 12:00:04", "orders_close_at"=>"2040-12-01 12:00:05"}}}, "controller"=>"admin/order_cycles", "action"=>"bulk_update", "format"=>"json", "order_cycle"=>{}}
     # ./app/controllers/application_controller.rb:20:in `print_params'
     # ./lib/open_food_network/rack_request_blocker.rb:36:in `call'
     # ------------------
     # --- Caused by: ---
     # ActiveModel::ForbiddenAttributesError:
     #   ActiveModel::ForbiddenAttributesError
     #   ./app/models/model_set.rb:29:in `block in collection_attributes='
---
 .../admin/enterprise_fees_controller.rb           | 12 +++++++++++-
 app/controllers/admin/order_cycles_controller.rb  |  8 +++++++-
 app/services/permitted_attributes/order_cycle.rb  | 15 +++++++++++----
 3 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/app/controllers/admin/enterprise_fees_controller.rb b/app/controllers/admin/enterprise_fees_controller.rb
index 56187450a7..3d118e5083 100644
--- a/app/controllers/admin/enterprise_fees_controller.rb
+++ b/app/controllers/admin/enterprise_fees_controller.rb
@@ -27,7 +27,7 @@ module Admin
     end
 
     def bulk_update
-      @enterprise_fee_set = EnterpriseFeeSet.new(params[:enterprise_fee_set])
+      @enterprise_fee_set = EnterpriseFeeSet.new(enterprise_fee_bulk_params)
 
       if @enterprise_fee_set.save
         redirect_to redirect_path, notice: I18n.t(:enterprise_fees_update_notice)
@@ -78,5 +78,15 @@ module Admin
 
       main_app.admin_enterprise_fees_path
     end
+
+    def enterprise_fee_bulk_params
+      params.require(:enterprise_fee_set).permit(
+        collection_attributes: [
+          :id, :enterprise_id, :fee_type, :name, :tax_category_id,
+          :inherits_tax_category, :calculator_type,
+          { calculator_attributes: [:id, :preferred_flat_percent] }
+        ]
+      )
+    end
   end
 end
diff --git a/app/controllers/admin/order_cycles_controller.rb b/app/controllers/admin/order_cycles_controller.rb
index f6ec38293a..a28060ea5b 100644
--- a/app/controllers/admin/order_cycles_controller.rb
+++ b/app/controllers/admin/order_cycles_controller.rb
@@ -223,7 +223,7 @@ module Admin
     end
 
     def order_cycle_set
-      @order_cycle_set ||= OrderCycleSet.new(@order_cycles, params[:order_cycle_set])
+      @order_cycle_set ||= OrderCycleSet.new(@order_cycles, order_cycle_bulk_params)
     end
 
     def require_order_cycle_set_params
@@ -240,5 +240,11 @@ module Admin
     def order_cycle_params
       PermittedAttributes::OrderCycle.new(params).call
     end
+
+    def order_cycle_bulk_params
+      params.require(:order_cycle_set).permit(
+        collection_attributes: [:id] + PermittedAttributes::OrderCycle.basic_attributes
+      )
+    end
   end
 end
diff --git a/app/services/permitted_attributes/order_cycle.rb b/app/services/permitted_attributes/order_cycle.rb
index b81dccef0f..046726a96f 100644
--- a/app/services/permitted_attributes/order_cycle.rb
+++ b/app/services/permitted_attributes/order_cycle.rb
@@ -9,17 +9,24 @@ module PermittedAttributes
     def call
       return @params[:order_cycle] if @params[:order_cycle].blank?
 
-      @params.require(:order_cycle).permit(
+      @params.require(:order_cycle).permit(attributes)
+    end
+
+    def self.basic_attributes
+      [
         :name, :orders_open_at, :orders_close_at, :coordinator_id,
         :preferred_product_selection_from_coordinator_inventory_only,
-        incoming_exchanges: permitted_exchange_attributes,
-        outgoing_exchanges: permitted_exchange_attributes,
         schedule_ids: [], coordinator_fee_ids: []
-      )
+      ]
     end
 
     private
 
+    def attributes
+      self.class.basic_attributes + [incoming_exchanges: permitted_exchange_attributes,
+                                     outgoing_exchanges: permitted_exchange_attributes]
+    end
+
     def permitted_exchange_attributes
       [
         :id, :sender_id, :receiver_id, :enterprise_id, :incoming, :active,