From 6ba3a3c373662af5e6649b92da9ef50ca72264df Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Sun, 23 Feb 2020 12:49:27 +0000 Subject: [PATCH 01/13] Handle strong params in admin/enterprises_controller --- .../admin/enterprises_controller.rb | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/app/controllers/admin/enterprises_controller.rb b/app/controllers/admin/enterprises_controller.rb index cf95180818..c51c586d73 100644 --- a/app/controllers/admin/enterprises_controller.rb +++ b/app/controllers/admin/enterprises_controller.rb @@ -41,7 +41,7 @@ module Admin tag_rules_attributes = params[object_name].delete :tag_rules_attributes update_tag_rules(tag_rules_attributes) if tag_rules_attributes.present? update_enterprise_notifications - if @object.update_attributes(params[object_name]) + if @object.update_attributes(enterprise_params) invoke_callbacks(:update, :after) flash[:success] = flash_message_for(@object, :successfully_updated) respond_with(@object) do |format| @@ -244,7 +244,7 @@ module Admin def override_sells unless spree_current_user.admin? has_hub = spree_current_user.owned_enterprises.is_hub.any? - new_enterprise_is_producer = Enterprise.new(params[:enterprise]).is_primary_producer + new_enterprise_is_producer = Enterprise.new(enterprise_params).is_primary_producer params[:enterprise][:sells] = has_hub && !new_enterprise_is_producer ? 'any' : 'none' end end @@ -303,5 +303,20 @@ module Admin def ams_prefix_whitelist [:index, :basic] end + + def enterprise_params + return params[:enterprise] if params[:enterprise].empty? + + params.require(:enterprise).permit( + :name, :is_primary_producer, :visible, :permalink, + :contact_name, :email_address, :phone, :sells, :owner_id, + :website, :facebook, :instagram, :linkedin, :twitter, + :abn, :acn, :charges_sales_tax, :display_invoice_logo, + :invoice_text, :description, :long_description, :promo_image, + :preferred_product_selection_from_inventory_only, :preferred_shopfront_message, + :preferred_shopfront_closed_message, :preferred_shopfront_taxon_order, + :preferred_shopfront_order_cycle_order, :require_login, + :allow_guest_orders, :allow_order_changes, :enable_subscriptions) + end end end From 34488e5f635eed4ebfe5a34be514b2367c5b0b1a Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Sun, 23 Feb 2020 17:49:35 +0000 Subject: [PATCH 02/13] Handle strong params in enterprise_roles controller --- app/controllers/admin/enterprise_roles_controller.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/app/controllers/admin/enterprise_roles_controller.rb b/app/controllers/admin/enterprise_roles_controller.rb index 98810e2a64..299292238e 100644 --- a/app/controllers/admin/enterprise_roles_controller.rb +++ b/app/controllers/admin/enterprise_roles_controller.rb @@ -7,7 +7,7 @@ module Admin end def create - @enterprise_role = EnterpriseRole.new params[:enterprise_role] + @enterprise_role = EnterpriseRole.new enterprise_role_params if @enterprise_role.save render text: Api::Admin::EnterpriseRoleSerializer.new(@enterprise_role).to_json @@ -22,5 +22,11 @@ module Admin @enterprise_role.destroy render nothing: true end + + private + + def enterprise_role_params + params.require(:enterprise_role).permit(:user_id, :enterprise_id) + end end end From 5c179a0932b81b62f49976444e88c57922732366 Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Tue, 25 Feb 2020 16:43:15 +0000 Subject: [PATCH 03/13] Ammend strong params on enterprise controller to cover create action --- app/controllers/admin/enterprises_controller.rb | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/app/controllers/admin/enterprises_controller.rb b/app/controllers/admin/enterprises_controller.rb index c51c586d73..ae3c5308d0 100644 --- a/app/controllers/admin/enterprises_controller.rb +++ b/app/controllers/admin/enterprises_controller.rb @@ -308,7 +308,7 @@ module Admin return params[:enterprise] if params[:enterprise].empty? params.require(:enterprise).permit( - :name, :is_primary_producer, :visible, :permalink, + :id, :name, :is_primary_producer, :visible, :permalink, :contact_name, :email_address, :phone, :sells, :owner_id, :website, :facebook, :instagram, :linkedin, :twitter, :abn, :acn, :charges_sales_tax, :display_invoice_logo, @@ -316,7 +316,14 @@ module Admin :preferred_product_selection_from_inventory_only, :preferred_shopfront_message, :preferred_shopfront_closed_message, :preferred_shopfront_taxon_order, :preferred_shopfront_order_cycle_order, :require_login, - :allow_guest_orders, :allow_order_changes, :enable_subscriptions) + :allow_guest_orders, :allow_order_changes, :enable_subscriptions, + address_attributes: permitted_address_attributes + ) + end + + # Used in ResourceController#create + def permitted_resource_params + enterprise_params end end end From 29a457575b4f689b63304b24e87e36fee5fdaaff Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Tue, 25 Feb 2020 18:13:40 +0000 Subject: [PATCH 04/13] Permit specific params in enterprise_groups controller --- app/controllers/admin/enterprise_groups_controller.rb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/app/controllers/admin/enterprise_groups_controller.rb b/app/controllers/admin/enterprise_groups_controller.rb index 4494a7927a..f926852f6f 100644 --- a/app/controllers/admin/enterprise_groups_controller.rb +++ b/app/controllers/admin/enterprise_groups_controller.rb @@ -55,5 +55,13 @@ module Admin def collection EnterpriseGroup.by_position end + + def permitted_resource_params + params.require(:enterprise_group).permit( + :name, :description, :long_description, :on_front_page, :owner_id, :permalink, + :email, :website, :facebook, :instagram, :linkedin, :twitter, + enterprise_ids: [], address_attributes: permitted_address_attributes + ) + end end end From ad9e5d979ab100a77ab5ec16eae51ca7f15a08bc Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Tue, 25 Feb 2020 19:14:10 +0000 Subject: [PATCH 05/13] Permit extra needed params in enterprises controller --- app/controllers/admin/enterprises_controller.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/app/controllers/admin/enterprises_controller.rb b/app/controllers/admin/enterprises_controller.rb index ae3c5308d0..157ac2937a 100644 --- a/app/controllers/admin/enterprises_controller.rb +++ b/app/controllers/admin/enterprises_controller.rb @@ -317,7 +317,10 @@ module Admin :preferred_shopfront_closed_message, :preferred_shopfront_taxon_order, :preferred_shopfront_order_cycle_order, :require_login, :allow_guest_orders, :allow_order_changes, :enable_subscriptions, - address_attributes: permitted_address_attributes + group_ids: [], user_ids: [], + shipping_method_ids: [], payment_method_ids: [], + address_attributes: permitted_address_attributes, + producer_properties_attributes: [:id, :property_name, :value, :_destroy] ) end From fec5e1d84ea42cdfcc26032123bccad15eada7ac Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Thu, 12 Mar 2020 11:30:03 +0000 Subject: [PATCH 06/13] Add needed param to enterprises controller --- app/controllers/admin/enterprises_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/admin/enterprises_controller.rb b/app/controllers/admin/enterprises_controller.rb index 157ac2937a..4d2ea81eb2 100644 --- a/app/controllers/admin/enterprises_controller.rb +++ b/app/controllers/admin/enterprises_controller.rb @@ -312,7 +312,7 @@ module Admin :contact_name, :email_address, :phone, :sells, :owner_id, :website, :facebook, :instagram, :linkedin, :twitter, :abn, :acn, :charges_sales_tax, :display_invoice_logo, - :invoice_text, :description, :long_description, :promo_image, + :invoice_text, :description, :long_description, :logo, :promo_image, :preferred_product_selection_from_inventory_only, :preferred_shopfront_message, :preferred_shopfront_closed_message, :preferred_shopfront_taxon_order, :preferred_shopfront_order_cycle_order, :require_login, From a9a92e11e2378e1cfd7436398132fa61ff897db0 Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Sat, 22 Feb 2020 17:41:45 +0000 Subject: [PATCH 07/13] Bring some strong parameters code from spree to our Spree controllers This code comes from spree commit https://github.com/openfoodfoundation/spree/commit/fbc2d150f640399d73baab5295416da7131b95e7 --- .../spree/admin/orders/customer_details_controller.rb | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/app/controllers/spree/admin/orders/customer_details_controller.rb b/app/controllers/spree/admin/orders/customer_details_controller.rb index e7bb5bf366..989e73fa46 100644 --- a/app/controllers/spree/admin/orders/customer_details_controller.rb +++ b/app/controllers/spree/admin/orders/customer_details_controller.rb @@ -18,7 +18,7 @@ module Spree end def update - if @order.update_attributes(params[:order]) + if @order.update_attributes(order_params) if params[:guest_checkout] == "false" @order.associate_user!(Spree.user_class.find_by(email: @order.email)) end @@ -41,6 +41,15 @@ module Spree private + def order_params + params.require(:order).permit( + :email, + :use_billing, + :bill_address_attributes => permitted_address_attributes, + :ship_address_attributes => permitted_address_attributes + ) + end + def load_order @order = Order.find_by_number!(params[:order_id], include: :adjustments) end From 4fd3026bd8e0ebb0c7aee5842d3124ed6816711f Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Sat, 22 Feb 2020 19:03:48 +0000 Subject: [PATCH 08/13] Add strong parameters permits to some controllers --- app/controllers/admin/customers_controller.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/app/controllers/admin/customers_controller.rb b/app/controllers/admin/customers_controller.rb index 9941829d2b..bc8137d1b6 100644 --- a/app/controllers/admin/customers_controller.rb +++ b/app/controllers/admin/customers_controller.rb @@ -28,7 +28,7 @@ module Admin end def create - @customer = Customer.new(params[:customer]) + @customer = Customer.new(customer_params) if user_can_create_customer? if @customer.save tag_rule_mapping = TagRule.mapping_for(Enterprise.where(id: @customer.enterprise)) @@ -80,5 +80,9 @@ module Admin def ams_prefix_whitelist [:subscription] end + + def customer_params + params.require(:customer).permit(:enterprise_id, :email) + end end end From 9b0d7b96047246a4bd114448d52e6ef7722a1946 Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Tue, 25 Feb 2020 17:01:49 +0000 Subject: [PATCH 09/13] Ammend customers_controller to include ship address attributes permit and also permit #update with specific attributes --- app/controllers/admin/customers_controller.rb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/app/controllers/admin/customers_controller.rb b/app/controllers/admin/customers_controller.rb index bc8137d1b6..b3b8b87ffb 100644 --- a/app/controllers/admin/customers_controller.rb +++ b/app/controllers/admin/customers_controller.rb @@ -82,7 +82,15 @@ module Admin end def customer_params - params.require(:customer).permit(:enterprise_id, :email) + params.require(:customer).permit( + :enterprise_id, :email, + ship_address_attributes: permitted_address_attributes + ) + end + + # Used in ResourceController#update + def permitted_resource_params + customer_params end end end From 22a005df475bf257cfde8b96117be46f30b43c8c Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Sat, 7 Mar 2020 20:37:04 +0000 Subject: [PATCH 10/13] Add needed permitted attributes to admin/customers_controller --- app/controllers/admin/customers_controller.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/app/controllers/admin/customers_controller.rb b/app/controllers/admin/customers_controller.rb index b3b8b87ffb..2a600db3bd 100644 --- a/app/controllers/admin/customers_controller.rb +++ b/app/controllers/admin/customers_controller.rb @@ -83,8 +83,9 @@ module Admin def customer_params params.require(:customer).permit( - :enterprise_id, :email, - ship_address_attributes: permitted_address_attributes + :enterprise_id, :name, :email, :code, :tag_list, + ship_address_attributes: permitted_address_attributes, + bill_address_attributes: permitted_address_attributes, ) end From e5f56c19c07a7ea6defab5202ab0277d8902ba98 Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Sat, 21 Mar 2020 20:00:26 +0000 Subject: [PATCH 11/13] Switch to using PermittedAttributes::Address instead of spree version of it that will be removed later --- app/controllers/admin/customers_controller.rb | 4 ++-- app/controllers/admin/enterprise_groups_controller.rb | 2 +- app/controllers/admin/enterprises_controller.rb | 2 +- .../spree/admin/orders/customer_details_controller.rb | 4 ++-- app/services/permitted_attributes/address.rb | 2 ++ 5 files changed, 8 insertions(+), 6 deletions(-) diff --git a/app/controllers/admin/customers_controller.rb b/app/controllers/admin/customers_controller.rb index 2a600db3bd..d4cf9b15fe 100644 --- a/app/controllers/admin/customers_controller.rb +++ b/app/controllers/admin/customers_controller.rb @@ -84,8 +84,8 @@ module Admin def customer_params params.require(:customer).permit( :enterprise_id, :name, :email, :code, :tag_list, - ship_address_attributes: permitted_address_attributes, - bill_address_attributes: permitted_address_attributes, + ship_address_attributes: PermittedAttributes::Address.attributes, + bill_address_attributes: PermittedAttributes::Address.attributes, ) end diff --git a/app/controllers/admin/enterprise_groups_controller.rb b/app/controllers/admin/enterprise_groups_controller.rb index f926852f6f..5483cdd45e 100644 --- a/app/controllers/admin/enterprise_groups_controller.rb +++ b/app/controllers/admin/enterprise_groups_controller.rb @@ -60,7 +60,7 @@ module Admin params.require(:enterprise_group).permit( :name, :description, :long_description, :on_front_page, :owner_id, :permalink, :email, :website, :facebook, :instagram, :linkedin, :twitter, - enterprise_ids: [], address_attributes: permitted_address_attributes + enterprise_ids: [], address_attributes: PermittedAttributes::Address.attributes ) end end diff --git a/app/controllers/admin/enterprises_controller.rb b/app/controllers/admin/enterprises_controller.rb index 4d2ea81eb2..518a8453a9 100644 --- a/app/controllers/admin/enterprises_controller.rb +++ b/app/controllers/admin/enterprises_controller.rb @@ -319,7 +319,7 @@ module Admin :allow_guest_orders, :allow_order_changes, :enable_subscriptions, group_ids: [], user_ids: [], shipping_method_ids: [], payment_method_ids: [], - address_attributes: permitted_address_attributes, + address_attributes: PermittedAttributes::Address.attributes, producer_properties_attributes: [:id, :property_name, :value, :_destroy] ) end diff --git a/app/controllers/spree/admin/orders/customer_details_controller.rb b/app/controllers/spree/admin/orders/customer_details_controller.rb index 989e73fa46..4537f828a6 100644 --- a/app/controllers/spree/admin/orders/customer_details_controller.rb +++ b/app/controllers/spree/admin/orders/customer_details_controller.rb @@ -45,8 +45,8 @@ module Spree params.require(:order).permit( :email, :use_billing, - :bill_address_attributes => permitted_address_attributes, - :ship_address_attributes => permitted_address_attributes + bill_address_attributes: PermittedAttributes::Address.attributes, + ship_address_attributes: PermittedAttributes::Address.attributes ) end diff --git a/app/services/permitted_attributes/address.rb b/app/services/permitted_attributes/address.rb index 4fd7908297..4c7a538caf 100644 --- a/app/services/permitted_attributes/address.rb +++ b/app/services/permitted_attributes/address.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + module PermittedAttributes class Address def self.attributes From 6b62c8aafd614cc546b5169dcbb7040e40010be9 Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Sat, 21 Mar 2020 20:14:11 +0000 Subject: [PATCH 12/13] Extract permitted attributes to separate service --- .../admin/enterprises_controller.rb | 18 +-------- .../permitted_attributes/enterprise.rb | 37 +++++++++++++++++++ 2 files changed, 38 insertions(+), 17 deletions(-) create mode 100644 app/services/permitted_attributes/enterprise.rb diff --git a/app/controllers/admin/enterprises_controller.rb b/app/controllers/admin/enterprises_controller.rb index 518a8453a9..6198497e98 100644 --- a/app/controllers/admin/enterprises_controller.rb +++ b/app/controllers/admin/enterprises_controller.rb @@ -305,23 +305,7 @@ module Admin end def enterprise_params - return params[:enterprise] if params[:enterprise].empty? - - params.require(:enterprise).permit( - :id, :name, :is_primary_producer, :visible, :permalink, - :contact_name, :email_address, :phone, :sells, :owner_id, - :website, :facebook, :instagram, :linkedin, :twitter, - :abn, :acn, :charges_sales_tax, :display_invoice_logo, - :invoice_text, :description, :long_description, :logo, :promo_image, - :preferred_product_selection_from_inventory_only, :preferred_shopfront_message, - :preferred_shopfront_closed_message, :preferred_shopfront_taxon_order, - :preferred_shopfront_order_cycle_order, :require_login, - :allow_guest_orders, :allow_order_changes, :enable_subscriptions, - group_ids: [], user_ids: [], - shipping_method_ids: [], payment_method_ids: [], - address_attributes: PermittedAttributes::Address.attributes, - producer_properties_attributes: [:id, :property_name, :value, :_destroy] - ) + PermittedAttributes::Enterprise.new(params).call end # Used in ResourceController#create diff --git a/app/services/permitted_attributes/enterprise.rb b/app/services/permitted_attributes/enterprise.rb new file mode 100644 index 0000000000..f02863b2a5 --- /dev/null +++ b/app/services/permitted_attributes/enterprise.rb @@ -0,0 +1,37 @@ +# frozen_string_literal: true + +module PermittedAttributes + class Enterprise + def initialize(params) + @params = params + end + + def call + return @params[:enterprise] if @params[:enterprise].empty? + + @params.require(:enterprise).permit( + basic_permitted_attributes + [ + group_ids: [], user_ids: [], + shipping_method_ids: [], payment_method_ids: [], + address_attributes: PermittedAttributes::Address.attributes, + producer_properties_attributes: [:id, :property_name, :value, :_destroy] + ] + ) + end + + private + + def basic_permitted_attributes + [ + :id, :name, :visible, :permalink, :owner_id, :contact_name, :email_address, :phone, + :is_primary_producer, :sells, :website, :facebook, :instagram, :linkedin, :twitter, + :description, :long_description, :logo, :promo_image, + :allow_guest_orders, :allow_order_changes, :require_login, :enable_subscriptions, + :abn, :acn, :charges_sales_tax, :display_invoice_logo, :invoice_text, + :preferred_product_selection_from_inventory_only, :preferred_shopfront_message, + :preferred_shopfront_closed_message, :preferred_shopfront_taxon_order, + :preferred_shopfront_order_cycle_order + ] + end + end +end From b7cb95ae3ea53821c660f473871fc0f78449d1bb Mon Sep 17 00:00:00 2001 From: Luis Ramos Date: Sat, 21 Mar 2020 22:34:25 +0000 Subject: [PATCH 13/13] Fix problem in PermittedAttributes::Address namespace --- .../spree/admin/orders/customer_details_controller.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/controllers/spree/admin/orders/customer_details_controller.rb b/app/controllers/spree/admin/orders/customer_details_controller.rb index 4537f828a6..7503e42833 100644 --- a/app/controllers/spree/admin/orders/customer_details_controller.rb +++ b/app/controllers/spree/admin/orders/customer_details_controller.rb @@ -45,8 +45,8 @@ module Spree params.require(:order).permit( :email, :use_billing, - bill_address_attributes: PermittedAttributes::Address.attributes, - ship_address_attributes: PermittedAttributes::Address.attributes + bill_address_attributes: ::PermittedAttributes::Address.attributes, + ship_address_attributes: ::PermittedAttributes::Address.attributes ) end