Merge pull request #5035 from luisramos0/strong_params_checkout

[Spree 2.1] Implement strong params in checkout controller
2026-01-24 20:36:49 +00:00 · 2020-03-25 09:46:53 +01:00
parent e70daf53ce 2c453359c1
commit b323364661
5 changed files with 59 additions and 22 deletions
--- a/app/controllers/checkout_controller.rb
+++ b/app/controllers/checkout_controller.rb
@@ -44,8 +44,8 @@ class CheckoutController < Spree::StoreController
  end

  def update
-    params_adapter = Checkout::FormDataAdapter.new(params, @order, spree_current_user)
-    return update_failed unless @order.update_attributes(params_adapter.order_params)
+    params_adapter = Checkout::FormDataAdapter.new(permitted_params, @order, spree_current_user)
+    return update_failed unless @order.update_attributes(params_adapter.params[:order])

    fire_event('spree.checkout.update')

@@ -263,4 +263,8 @@ class CheckoutController < Spree::StoreController
      end
    end
  end
+
+  def permitted_params
+    PermittedAttributes::Checkout.new(params).call
+  end
 end
--- a/app/services/checkout/form_data_adapter.rb
+++ b/app/services/checkout/form_data_adapter.rb
@@ -3,7 +3,7 @@
 # Adapts checkout form data (params) so that the order can be directly saved to the database
 module Checkout
  class FormDataAdapter
-    attr_reader :shipping_method_id
+    attr_reader :params, :shipping_method_id

    def initialize(params, order, current_user)
      @params = params.dup
@@ -19,10 +19,6 @@ module Checkout
      @shipping_method_id = @params[:order].delete(:shipping_method_id)
    end

-    def order_params
-      @params[:order]
-    end
-
    private

    # For payment step, filter order parameters to produce the expected
--- a/app/services/permitted_attributes/address.rb
+++ b/app/services/permitted_attributes/address.rb
@@ -0,0 +1,11 @@
+module PermittedAttributes
+  class Address
+    def self.attributes
+      [
+        :firstname, :lastname, :address1, :address2,
+        :city, :country_id, :state_id, :zipcode,
+        :phone, :state_name, :alternative_phone, :company
+      ]
+    end
+  end
+end
--- a/app/services/permitted_attributes/checkout.rb
+++ b/app/services/permitted_attributes/checkout.rb
@@ -0,0 +1,34 @@
+module PermittedAttributes
+  class Checkout
+    def initialize(params)
+      @params = params
+    end
+
+    def call
+      @params.permit(
+        order: [
+          :email, :special_instructions,
+          :existing_card_id, :shipping_method_id,
+          payments_attributes: [
+            :payment_method_id,
+            source_attributes: payment_source_attributes
+          ],
+          ship_address_attributes: PermittedAttributes::Address.attributes,
+          bill_address_attributes: PermittedAttributes::Address.attributes
+        ],
+        payment_source: payment_source_attributes
+      )
+    end
+
+    private
+
+    def payment_source_attributes
+      [
+        :gateway_payment_profile_id, :cc_type, :last_digits,
+        :month, :year, :first_name, :last_name,
+        :number, :verification_value,
+        :save_requested_by_customer
+      ]
+    end
+  end
+end
--- a/spec/services/checkout/form_data_adapter_spec.rb
+++ b/spec/services/checkout/form_data_adapter_spec.rb
@@ -3,7 +3,7 @@
 require 'spec_helper'

 describe Checkout::FormDataAdapter do
-  describe '#order_params' do
+  describe '#params' do
    let(:params) { { order: { order_id: "123" } } }
    let(:order) { create(:order) }
    let(:user) { create(:user) }
@@ -11,9 +11,7 @@ describe Checkout::FormDataAdapter do
    let(:adapter) { Checkout::FormDataAdapter.new(params, order, user) }

    it "returns the :order item in the params provided" do
-      order_params = adapter.order_params
-
-      expect(order_params).to eq params[:order]
+      expect(adapter.params[:order]).to eq params[:order]
    end

    describe "when payment_attributes are provided" do
@@ -25,9 +23,7 @@ describe Checkout::FormDataAdapter do
        before { params[:payment_source] = { "123" => source_attributes } }

        it "moves payment source attributes to the order payment attributes" do
-          order_params = adapter.order_params
-
-          expect(order_params[:payments_attributes].
+          expect(adapter.params[:order][:payments_attributes].
                   first[:source_attributes]).to eq source_attributes
        end
      end
@@ -36,9 +32,7 @@ describe Checkout::FormDataAdapter do
        before { order.total = "50.0" }

        it "sets the payment attributes amount to the order total" do
-          order_params = adapter.order_params
-
-          expect(order_params[:payments_attributes].first[:amount]).to eq order.total
+          expect(adapter.params[:order][:payments_attributes].first[:amount]).to eq order.total
        end
      end

@@ -51,10 +45,8 @@ describe Checkout::FormDataAdapter do
          before { params[:order][:existing_card_id] = credit_card.id }

          it "adds card details to payment attributes" do
-            order_params = adapter.order_params
-
-            expect(order_params[:payments_attributes].first[:source][:id]).to eq credit_card.id
-            expect(order_params[:payments_attributes].
+            expect(adapter.params[:order][:payments_attributes].first[:source][:id]).to eq credit_card.id
+            expect(adapter.params[:order][:payments_attributes].
                     first[:source][:last_digits]).to eq credit_card.last_digits
          end
        end
@@ -63,7 +55,7 @@ describe Checkout::FormDataAdapter do
          let(:credit_card) { create(:credit_card) }

          it "raises exception if credit card provided doesnt belong to the current user" do
-            expect { adapter.order_params }.to raise_error Spree::Core::GatewayError
+            expect { adapter.params[:order] }.to raise_error Spree::Core::GatewayError
          end
        end
      end