From 417c4d9aeaffb427f4fde6200e5655de028f82f5 Mon Sep 17 00:00:00 2001 From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com> Date: Sun, 8 Nov 2020 20:57:44 +0000 Subject: [PATCH 01/14] Inherit from ActionController::Base in API Controllers --- app/controllers/api/base_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb index 16b663e5aa..5bfa79f2c9 100644 --- a/app/controllers/api/base_controller.rb +++ b/app/controllers/api/base_controller.rb @@ -3,7 +3,7 @@ require_dependency 'spree/api/controller_setup' require "spree/core/controller_helpers/ssl" module Api - class BaseController < ActionController::Metal + class BaseController < ActionController::Base include Spree::Api::ControllerSetup include Spree::Core::ControllerHelpers::SSL include ::ActionController::Head From c374bf5e49e5998bba91d10e9cb0470a5ead9891 Mon Sep 17 00:00:00 2001 From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com> Date: Fri, 6 Nov 2020 01:54:04 +0000 Subject: [PATCH 02/14] Fix strong_params in API taxons_controller --- app/controllers/api/taxons_controller.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/app/controllers/api/taxons_controller.rb b/app/controllers/api/taxons_controller.rb index f6693fbaee..e389caea7b 100644 --- a/app/controllers/api/taxons_controller.rb +++ b/app/controllers/api/taxons_controller.rb @@ -22,7 +22,7 @@ module Api def create authorize! :create, Spree::Taxon - @taxon = Spree::Taxon.new(params[:taxon]) + @taxon = Spree::Taxon.new(taxon_params[:taxon]) @taxon.taxonomy_id = params[:taxonomy_id] taxonomy = Spree::Taxonomy.find_by(id: params[:taxonomy_id]) @@ -42,7 +42,7 @@ module Api def update authorize! :update, Spree::Taxon - if taxon.update(params[:taxon]) + if taxon.update(taxon_params) render json: taxon, serializer: Api::TaxonSerializer, status: :ok else invalid_resource!(taxon) @@ -66,5 +66,9 @@ module Api def taxon @taxon ||= taxonomy.taxons.find(params[:id]) end + + def taxon_params + params.permit(taxon: [:name, :parent_id]) + end end end From ca41bbcee7e300936e03eb517bc7110c43fc565e Mon Sep 17 00:00:00 2001 From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com> Date: Fri, 6 Nov 2020 19:06:32 +0000 Subject: [PATCH 03/14] Fix Api::VariantsController ForbiddenAttributesError --- app/controllers/api/variants_controller.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/app/controllers/api/variants_controller.rb b/app/controllers/api/variants_controller.rb index af1f41d7b0..47b12e1e92 100644 --- a/app/controllers/api/variants_controller.rb +++ b/app/controllers/api/variants_controller.rb @@ -17,7 +17,7 @@ module Api def create authorize! :create, Spree::Variant - @variant = scope.new(params[:variant]) + @variant = scope.new(variant_params) if @variant.save render json: @variant, serializer: Api::VariantSerializer, status: :created else @@ -28,7 +28,7 @@ module Api def update authorize! :update, Spree::Variant @variant = scope.find(params[:id]) - if @variant.update(params[:variant]) + if @variant.update(variant_params) render json: @variant, serializer: Api::VariantSerializer, status: :ok else invalid_resource!(@product) @@ -69,5 +69,9 @@ module Api end variants end + + def variant_params + params.require(:variant).permit(PermittedAttributes::Variant.attributes) + end end end From 7401e34c524c006b8fdfa9f39c48b8543f2b31d5 Mon Sep 17 00:00:00 2001 From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com> Date: Sat, 7 Nov 2020 01:41:33 +0000 Subject: [PATCH 04/14] Fix credit cards strong params --- app/controllers/api/customers_controller.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/app/controllers/api/customers_controller.rb b/app/controllers/api/customers_controller.rb index 172d4580b8..796032e763 100644 --- a/app/controllers/api/customers_controller.rb +++ b/app/controllers/api/customers_controller.rb @@ -11,11 +11,15 @@ module Api @customer = Customer.find(params[:id]) authorize! :update, @customer - if @customer.update(params[:customer]) + if @customer.update(customer_params) render json: @customer, serializer: CustomerSerializer, status: :ok else invalid_resource!(@customer) end end + + def customer_params + params.require(:customer).permit(:code, :email, :enterprise_id, :allow_charges) + end end end From 642a294844e57704da0eb54fd0a9aac6f43378a4 Mon Sep 17 00:00:00 2001 From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com> Date: Sat, 7 Nov 2020 15:02:31 +0000 Subject: [PATCH 05/14] Fix broken order edit shipment As an administrator I want to create and edit orders as an enterprise manager viewing the edit page with different shipping methods can edit shipping method Failure/Error: expect(page).to have_content "Shipping: #{different_shipping_method_for_distributor1.name}" expected to find text "Shipping: Different" in "Logged in as : owen@romaguera.ca Account Logout Store DASHBOARD PRODUCTS ORDER CYCLES ORDERS REPORTS ENTERPRISES CUSTOMERS Order # R813516688 CANCEL ACTIONS BACK TO ORDER LIST John Doe - ADD PRODUCT NAME OR SKU (ENTER AT LEAST FIRST 4 CHARACTERS OF PRODUCT NAME) Select a variant 100 - PENDING ITEM DESCRIPTION PRICE QUANTITY TOTAL Product #3 - 9924 - 1g, S $10.00 1 x none $10.00 Product #4 - 5548 - 1g, S $10.00 1 x none $10.00 Product #5 - 8080 - 1g, S $10.00 1 x none $10.00 Product #6 - 3591 - 1g, S $10.00 1 x none $10.00 Product #7 - 6461 - 1g, S $10.00 1 x none $10.00 Product #8 - 4071 - 1g, S $110.00 1 x none $110.00 SHIPPING METHOD Different $0.00 Normal $0.00 Different $0.00 Tracking: U10000 LINE ITEM ADJUSTMENTS NAME AMOUNT Tax 1 10.0%: $10.00 ORDER ADJUSTMENTS NAME AMOUNT Transaction fee: $0.00 ORDER TOTAL $160.00 DISTRIBUTION Distributor: Enterprise 4 Order cycle: Order Cycle 2 UPDATE AND RECALCULATE FEES or BACK ORDER INFORMATION STATUS COMPLETE TOTAL : $160.00 SHIPMENT : PENDING PAYMENT : BALANCE DUE DATE COMPLETED : November 08, 2020 1:51 AM ORDER DETAILS CUSTOMER DETAILS ADJUSTMENTS PAYMENTS RETURN AUTHORIZATIONS" # ./spec/features/admin/order_spec.rb:291:in `block (5 levels) in ' --- app/controllers/api/shipments_controller.rb | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/app/controllers/api/shipments_controller.rb b/app/controllers/api/shipments_controller.rb index 99f03bef7a..69f4b7d037 100644 --- a/app/controllers/api/shipments_controller.rb +++ b/app/controllers/api/shipments_controller.rb @@ -30,7 +30,7 @@ module Api @shipment.adjustment.open end - @shipment.update(params[:shipment]) + @shipment.update(shipment_params[:shipment]) if unlock == 'yes' @shipment.adjustment.close @@ -88,7 +88,7 @@ module Api def find_and_update_shipment @shipment = @order.shipments.find_by!(number: params[:id]) - @shipment.update(params[:shipment]) + @shipment.update(shipment_params[:shipment]) if shipment_params[:shipment].present? @shipment.reload end @@ -101,5 +101,12 @@ module Api def get_or_create_shipment(stock_location_id) @order.shipment || @order.shipments.create(stock_location_id: stock_location_id) end + + def shipment_params + params.permit( + [:id, :order_id, :variant_id, :quantity, + { shipment: [:tracking, :selected_shipping_rate_id] }] + ) + end end end From 787f29105ca501474576340c2cb3791ffb6c65d0 Mon Sep 17 00:00:00 2001 From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com> Date: Sat, 7 Nov 2020 18:00:23 +0000 Subject: [PATCH 06/14] Fix ForbiddenAttribute errors for bulk update of enterprise fees and order cycles Example error: As an administrator I want to manage simple order cycles updating many order cycle opening/closing times at once Failure/Error: raise ActiveModel::ForbiddenAttributesError, params.to_s ActiveModel::ForbiddenAttributesError: {"order_cycle_set"=>{"collection_attributes"=>{"0"=>{"id"=>62, "name"=>"Updated Order Cycle 1", "orders_open_at"=>"2040-12-01 12:00:00", "orders_close_at"=>"2040-12-01 12:00:01"}, "1"=>{"id"=>63, "name"=>"Updated Order Cycle 2", "orders_open_at"=>"2040-12-01 12:00:02", "orders_close_at"=>"2040-12-01 12:00:03"}, "2"=>{"id"=>64, "name"=>"Updated Order Cycle 3", "orders_open_at"=>"2040-12-01 12:00:04", "orders_close_at"=>"2040-12-01 12:00:05"}}}, "controller"=>"admin/order_cycles", "action"=>"bulk_update", "format"=>"json", "order_cycle"=>{}} # ./app/controllers/application_controller.rb:20:in `print_params' # ./lib/open_food_network/rack_request_blocker.rb:36:in `call' # ------------------ # --- Caused by: --- # ActiveModel::ForbiddenAttributesError: # ActiveModel::ForbiddenAttributesError # ./app/models/model_set.rb:29:in `block in collection_attributes=' --- .../admin/enterprise_fees_controller.rb | 12 +++++++++++- app/controllers/admin/order_cycles_controller.rb | 8 +++++++- app/services/permitted_attributes/order_cycle.rb | 15 +++++++++++---- 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/app/controllers/admin/enterprise_fees_controller.rb b/app/controllers/admin/enterprise_fees_controller.rb index 56187450a7..3d118e5083 100644 --- a/app/controllers/admin/enterprise_fees_controller.rb +++ b/app/controllers/admin/enterprise_fees_controller.rb @@ -27,7 +27,7 @@ module Admin end def bulk_update - @enterprise_fee_set = EnterpriseFeeSet.new(params[:enterprise_fee_set]) + @enterprise_fee_set = EnterpriseFeeSet.new(enterprise_fee_bulk_params) if @enterprise_fee_set.save redirect_to redirect_path, notice: I18n.t(:enterprise_fees_update_notice) @@ -78,5 +78,15 @@ module Admin main_app.admin_enterprise_fees_path end + + def enterprise_fee_bulk_params + params.require(:enterprise_fee_set).permit( + collection_attributes: [ + :id, :enterprise_id, :fee_type, :name, :tax_category_id, + :inherits_tax_category, :calculator_type, + { calculator_attributes: [:id, :preferred_flat_percent] } + ] + ) + end end end diff --git a/app/controllers/admin/order_cycles_controller.rb b/app/controllers/admin/order_cycles_controller.rb index f6ec38293a..a28060ea5b 100644 --- a/app/controllers/admin/order_cycles_controller.rb +++ b/app/controllers/admin/order_cycles_controller.rb @@ -223,7 +223,7 @@ module Admin end def order_cycle_set - @order_cycle_set ||= OrderCycleSet.new(@order_cycles, params[:order_cycle_set]) + @order_cycle_set ||= OrderCycleSet.new(@order_cycles, order_cycle_bulk_params) end def require_order_cycle_set_params @@ -240,5 +240,11 @@ module Admin def order_cycle_params PermittedAttributes::OrderCycle.new(params).call end + + def order_cycle_bulk_params + params.require(:order_cycle_set).permit( + collection_attributes: [:id] + PermittedAttributes::OrderCycle.basic_attributes + ) + end end end diff --git a/app/services/permitted_attributes/order_cycle.rb b/app/services/permitted_attributes/order_cycle.rb index b81dccef0f..046726a96f 100644 --- a/app/services/permitted_attributes/order_cycle.rb +++ b/app/services/permitted_attributes/order_cycle.rb @@ -9,17 +9,24 @@ module PermittedAttributes def call return @params[:order_cycle] if @params[:order_cycle].blank? - @params.require(:order_cycle).permit( + @params.require(:order_cycle).permit(attributes) + end + + def self.basic_attributes + [ :name, :orders_open_at, :orders_close_at, :coordinator_id, :preferred_product_selection_from_coordinator_inventory_only, - incoming_exchanges: permitted_exchange_attributes, - outgoing_exchanges: permitted_exchange_attributes, schedule_ids: [], coordinator_fee_ids: [] - ) + ] end private + def attributes + self.class.basic_attributes + [incoming_exchanges: permitted_exchange_attributes, + outgoing_exchanges: permitted_exchange_attributes] + end + def permitted_exchange_attributes [ :id, :sender_id, :receiver_id, :enterprise_id, :incoming, :active, From 36f4f40e843e18daeb03ce7d2088b1ff3d3a9aac Mon Sep 17 00:00:00 2001 From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com> Date: Fri, 6 Nov 2020 19:01:49 +0000 Subject: [PATCH 07/14] Refactor and fix PaymentMethod strong params --- .../spree/admin/payment_methods_controller.rb | 17 +++------------ .../permitted_attributes/payment_method.rb | 21 +++++++++++++++++++ 2 files changed, 24 insertions(+), 14 deletions(-) create mode 100644 app/services/permitted_attributes/payment_method.rb diff --git a/app/controllers/spree/admin/payment_methods_controller.rb b/app/controllers/spree/admin/payment_methods_controller.rb index acd8de697b..d82ea21aec 100644 --- a/app/controllers/spree/admin/payment_methods_controller.rb +++ b/app/controllers/spree/admin/payment_methods_controller.rb @@ -15,7 +15,7 @@ module Spree @payment_method = params[:payment_method]. delete(:type). constantize. - new(payment_method_params) + new(PermittedAttributes::PaymentMethod.new(params[:payment_method]).call) @object = @payment_method invoke_callbacks(:create, :before) @@ -92,17 +92,6 @@ module Spree private - def payment_method_params - params.require(:payment_method).permit( - :name, :description, :type, :active, - :environment, :display_on, :tag_list, - :preferred_enterprise_id, :preferred_server, :preferred_login, :preferred_password, - :calculator_type, :preferred_api_key, - :preferred_signature, :preferred_solution, :preferred_landing_page, :preferred_logourl, - :preferred_test_mode, distributor_ids: [] - ) - end - def force_environment params[:payment_method][:environment] = Rails.env unless spree_current_user.admin? end @@ -164,7 +153,7 @@ module Spree # Also, remove password if present and blank def params_for_update gateway_params = params[ActiveModel::Naming.param_key(@payment_method)] || {} - params_for_update = payment_method_params.merge(gateway_params) + params_for_update = params[:payment_method].merge(gateway_params) params_for_update.each do |key, _value| if key.include?("password") && params_for_update[key].blank? @@ -172,7 +161,7 @@ module Spree end end - params_for_update + PermittedAttributes::PaymentMethod.new(params_for_update).call end end end diff --git a/app/services/permitted_attributes/payment_method.rb b/app/services/permitted_attributes/payment_method.rb new file mode 100644 index 0000000000..bfe3238fb8 --- /dev/null +++ b/app/services/permitted_attributes/payment_method.rb @@ -0,0 +1,21 @@ +# frozen_string_literal: true + +module PermittedAttributes + class PaymentMethod + def initialize(params) + @params = params + end + + def call + @params.permit( + [:name, :description, :type, :active, + :environment, :display_on, :tag_list, + :preferred_enterprise_id, :preferred_server, :preferred_login, :preferred_password, + :calculator_type, :preferred_api_key, + :preferred_signature, :preferred_solution, :preferred_landing_page, :preferred_logourl, + :preferred_test_mode, :calculator_type, { distributor_ids: [] }, + { calculator_attributes: [:id, :preferred_currency, :preferred_amount] }] + ) + end + end +end From 6a26c9da8c9100f97b7551118f18ce652f4b5e7b Mon Sep 17 00:00:00 2001 From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com> Date: Fri, 6 Nov 2020 01:14:06 +0000 Subject: [PATCH 08/14] Fix strong_params in API products_controller --- app/controllers/api/products_controller.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/app/controllers/api/products_controller.rb b/app/controllers/api/products_controller.rb index d8de7c75e0..f070bba15e 100644 --- a/app/controllers/api/products_controller.rb +++ b/app/controllers/api/products_controller.rb @@ -17,7 +17,7 @@ module Api def create authorize! :create, Spree::Product params[:product][:available_on] ||= Time.zone.now - @product = Spree::Product.new(params[:product]) + @product = Spree::Product.new(product_params) begin if @product.save render json: @product, serializer: Api::Admin::ProductSerializer, status: :created @@ -33,7 +33,7 @@ module Api def update authorize! :update, Spree::Product @product = find_product(params[:id]) - if @product.update(params[:product]) + if @product.update(product_params) render json: @product, serializer: Api::Admin::ProductSerializer, status: :ok else invalid_resource!(@product) @@ -156,5 +156,9 @@ module Api per_page: (params[:per_page] || DEFAULT_PER_PAGE).to_i } end + + def product_params + params.require(:product).permit PermittedAttributes::Product.attributes + end end end From cbdb6126a6cf8dc59932e00b53b78a702ba93d9c Mon Sep 17 00:00:00 2001 From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com> Date: Fri, 6 Nov 2020 00:56:00 +0000 Subject: [PATCH 09/14] Fix strong_params in API enterprises_controller --- app/controllers/api/enterprises_controller.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/app/controllers/api/enterprises_controller.rb b/app/controllers/api/enterprises_controller.rb index 5b8d2f2bc4..4fef8b23ce 100644 --- a/app/controllers/api/enterprises_controller.rb +++ b/app/controllers/api/enterprises_controller.rb @@ -12,7 +12,7 @@ module Api # params[:user_ids] breaks the enterprise creation # We remove them from params and save them after creating the enterprise user_ids = params[:enterprise].delete(:user_ids) - @enterprise = Enterprise.new(params[:enterprise]) + @enterprise = Enterprise.new(enterprise_params) if @enterprise.save @enterprise.user_ids = user_ids render text: @enterprise.id, status: :created @@ -25,7 +25,7 @@ module Api @enterprise = Enterprise.find_by(permalink: params[:id]) || Enterprise.find(params[:id]) authorize! :update, @enterprise - if @enterprise.update(params[:enterprise]) + if @enterprise.update(enterprise_params) render text: @enterprise.id, status: :ok else invalid_resource!(@enterprise) @@ -69,5 +69,9 @@ module Api def override_visible params[:enterprise][:visible] = false end + + def enterprise_params + PermittedAttributes::Enterprise.new(params).call + end end end From 1766f33d46bc50852785a825c75cabe467199705 Mon Sep 17 00:00:00 2001 From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com> Date: Wed, 11 Nov 2020 23:01:25 +0000 Subject: [PATCH 10/14] Use ActionController::Metal and include StrongParameters --- app/controllers/api/base_controller.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb index 5bfa79f2c9..0de0d45d99 100644 --- a/app/controllers/api/base_controller.rb +++ b/app/controllers/api/base_controller.rb @@ -3,7 +3,8 @@ require_dependency 'spree/api/controller_setup' require "spree/core/controller_helpers/ssl" module Api - class BaseController < ActionController::Base + class BaseController < ActionController::Metal + include ActionController::StrongParameters include Spree::Api::ControllerSetup include Spree::Core::ControllerHelpers::SSL include ::ActionController::Head From 3547b9fe5611c3f776b2199374dc9a2fad2a3ef5 Mon Sep 17 00:00:00 2001 From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com> Date: Mon, 16 Nov 2020 16:56:22 +0000 Subject: [PATCH 11/14] Add missing calculator params --- app/controllers/admin/enterprise_fees_controller.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/app/controllers/admin/enterprise_fees_controller.rb b/app/controllers/admin/enterprise_fees_controller.rb index 3d118e5083..2a3c4cfd77 100644 --- a/app/controllers/admin/enterprise_fees_controller.rb +++ b/app/controllers/admin/enterprise_fees_controller.rb @@ -84,7 +84,12 @@ module Admin collection_attributes: [ :id, :enterprise_id, :fee_type, :name, :tax_category_id, :inherits_tax_category, :calculator_type, - { calculator_attributes: [:id, :preferred_flat_percent] } + { calculator_attributes: + [:id, :preferred_currency, :preferred_amount, :preferred_flat_percent, + :preferred_minimal_amount, :preferred_normal_amount, :preferred_discount_amount, + :preferred_unit_from_list, :preferred_per_unit, :preferred_first_item, + :preferred_additional_item, :preferred_max_items] + } ] ) end From d225294b6bb5d3e36fe8287b00ac79bf32affd97 Mon Sep 17 00:00:00 2001 From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com> Date: Mon, 16 Nov 2020 16:58:34 +0000 Subject: [PATCH 12/14] Extract to PermittedAttributes::Calculator --- .../admin/enterprise_fees_controller.rb | 7 +------ app/services/permitted_attributes/calculator.rb | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 6 deletions(-) create mode 100644 app/services/permitted_attributes/calculator.rb diff --git a/app/controllers/admin/enterprise_fees_controller.rb b/app/controllers/admin/enterprise_fees_controller.rb index 2a3c4cfd77..d74d1e7c22 100644 --- a/app/controllers/admin/enterprise_fees_controller.rb +++ b/app/controllers/admin/enterprise_fees_controller.rb @@ -84,12 +84,7 @@ module Admin collection_attributes: [ :id, :enterprise_id, :fee_type, :name, :tax_category_id, :inherits_tax_category, :calculator_type, - { calculator_attributes: - [:id, :preferred_currency, :preferred_amount, :preferred_flat_percent, - :preferred_minimal_amount, :preferred_normal_amount, :preferred_discount_amount, - :preferred_unit_from_list, :preferred_per_unit, :preferred_first_item, - :preferred_additional_item, :preferred_max_items] - } + { calculator_attributes: PermittedAttributes::Calculator.attributes } ] ) end diff --git a/app/services/permitted_attributes/calculator.rb b/app/services/permitted_attributes/calculator.rb new file mode 100644 index 0000000000..ba5385d01c --- /dev/null +++ b/app/services/permitted_attributes/calculator.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +module PermittedAttributes + class Calculator + def self.attributes + [ + :id, :preferred_currency, :preferred_amount, :preferred_flat_percent, + :preferred_minimal_amount, :preferred_normal_amount, :preferred_discount_amount, + :preferred_unit_from_list, :preferred_per_unit, :preferred_first_item, + :preferred_additional_item, :preferred_max_items + ] + end + end +end From 0b18b0dc0aecaf3438db6615440eda8b8aa30f26 Mon Sep 17 00:00:00 2001 From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com> Date: Tue, 17 Nov 2020 19:04:26 +0000 Subject: [PATCH 13/14] Include Calculator attributes in PaymentMethod nested attributes and DRY repeated code --- app/controllers/spree/admin/shipping_methods_controller.rb | 7 +------ app/services/permitted_attributes/payment_method.rb | 2 +- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/app/controllers/spree/admin/shipping_methods_controller.rb b/app/controllers/spree/admin/shipping_methods_controller.rb index cace3feea4..2847ba220d 100644 --- a/app/controllers/spree/admin/shipping_methods_controller.rb +++ b/app/controllers/spree/admin/shipping_methods_controller.rb @@ -86,12 +86,7 @@ module Spree params.require(:shipping_method).permit( :name, :description, :display_on, :require_ship_address, :tag_list, :calculator_type, distributor_ids: [], - calculator_attributes: [ - :id, :preferred_currency, :preferred_amount, :preferred_unit_from_list, - :preferred_per_unit, :preferred_flat_percent, :preferred_first_item, - :preferred_additional_item, :preferred_max_items, :preferred_minimal_amount, - :preferred_normal_amount, :preferred_discount_amount - ] + calculator_attributes: PermittedAttributes::Calculator.attributes ) end end diff --git a/app/services/permitted_attributes/payment_method.rb b/app/services/permitted_attributes/payment_method.rb index bfe3238fb8..aac274a9f2 100644 --- a/app/services/permitted_attributes/payment_method.rb +++ b/app/services/permitted_attributes/payment_method.rb @@ -14,7 +14,7 @@ module PermittedAttributes :calculator_type, :preferred_api_key, :preferred_signature, :preferred_solution, :preferred_landing_page, :preferred_logourl, :preferred_test_mode, :calculator_type, { distributor_ids: [] }, - { calculator_attributes: [:id, :preferred_currency, :preferred_amount] }] + { calculator_attributes: PermittedAttributes::Calculator.attributes }] ) end end From b0a70f0ba33f8b61ae25c1b73afd736f188f78ba Mon Sep 17 00:00:00 2001 From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com> Date: Tue, 17 Nov 2020 19:48:27 +0000 Subject: [PATCH 14/14] Improve TaxonController strong params handling --- app/controllers/api/taxons_controller.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/app/controllers/api/taxons_controller.rb b/app/controllers/api/taxons_controller.rb index e389caea7b..4732c52361 100644 --- a/app/controllers/api/taxons_controller.rb +++ b/app/controllers/api/taxons_controller.rb @@ -22,7 +22,7 @@ module Api def create authorize! :create, Spree::Taxon - @taxon = Spree::Taxon.new(taxon_params[:taxon]) + @taxon = Spree::Taxon.new(taxon_params) @taxon.taxonomy_id = params[:taxonomy_id] taxonomy = Spree::Taxonomy.find_by(id: params[:taxonomy_id]) @@ -68,7 +68,9 @@ module Api end def taxon_params - params.permit(taxon: [:name, :parent_id]) + return if params[:taxon].blank? + + params.require(:taxon).permit([:name, :parent_id]) end end end