Handle strong params in subscriptions controller

2026-01-24 20:36:49 +00:00 · 2020-02-23 22:03:04 +00:00
parent d7cfda8385
commit c3897b2f1c
2 changed files with 20 additions and 6 deletions
--- a/app/controllers/admin/subscriptions_controller.rb
+++ b/app/controllers/admin/subscriptions_controller.rb
@@ -65,7 +65,7 @@ module Admin
    private

    def save_form_and_render(render_issues = true)
-      form = SubscriptionForm.new(@subscription, params[:subscription])
+      form = SubscriptionForm.new(@subscription, subscription_params)
      unless form.save
        render json: { errors: form.json_errors }, status: :unprocessable_entity
        return
@@ -149,11 +149,25 @@ module Admin
    # Overriding Spree method to load data from params here so that
    # we can authorise #create using an object with required attributes
    def build_resource
-      Subscription.new(params[:subscription])
+      Subscription.new(subscription_params)
    end

    def ams_prefix_whitelist
      [:index]
    end
+
+    def subscription_params
+      return params[:subscription] if params[:subscription].empty?
+
+      params.require(:subscription).permit(
+        :shop_id, :schedule_id, :customer_id,
+        :payment_method_id, :shipping_method_id,
+        :begins_at, :ends_at,
+        :canceled_at, :paused_at,
+        :subscription_line_items_attributes => [:id, :quantity, :variant_id],
+        :bill_address_attributes => permitted_address_attributes,
+        :ship_address_attributes => permitted_address_attributes
+      )
+    end
  end
 end
--- a/app/services/subscription_form.rb
+++ b/app/services/subscription_form.rb
@@ -1,21 +1,21 @@
 require 'open_food_network/proxy_order_syncer'

 class SubscriptionForm
-  attr_accessor :subscription, :params, :order_update_issues, :validator, :order_syncer, :estimator
+  attr_accessor :subscription, :subscription_params, :order_update_issues, :validator, :order_syncer, :estimator

  delegate :json_errors, :valid?, to: :validator
  delegate :order_update_issues, to: :order_syncer

-  def initialize(subscription, params = {})
+  def initialize(subscription, subscription_params = {})
    @subscription = subscription
-    @params = params
+    @subscription_params = subscription_params
    @estimator = SubscriptionEstimator.new(subscription)
    @validator = SubscriptionValidator.new(subscription)
    @order_syncer = OrderSyncer.new(subscription)
  end

  def save
-    subscription.assign_attributes(params)
+    subscription.assign_attributes(subscription_params)
    return false unless valid?

    subscription.transaction do