Merge pull request #5034 from luisramos0/strong_params_payment_methods

[Spree 2.1] Implement strong params in admin payment methods controller
2026-02-10 23:07:47 +00:00 · 2020-03-25 09:39:34 +01:00
parent 85f6be756e df799340df
commit c5621b7740
2 changed files with 31 additions and 13 deletions
--- a/app/controllers/spree/admin/payment_methods_controller.rb
+++ b/app/controllers/spree/admin/payment_methods_controller.rb
@@ -15,7 +15,7 @@ module Spree
        @payment_method = params[:payment_method].
          delete(:type).
          constantize.
-          new(params[:payment_method])
+          new(payment_method_params)
        @object = @payment_method

        invoke_callbacks(:create, :before)
@@ -40,15 +40,7 @@ module Spree
          @payment_method = PaymentMethod.find(params[:id])
        end

-        payment_method_params = params[ActiveModel::Naming.param_key(@payment_method)] || {}
-        attributes = params[:payment_method].merge(payment_method_params)
-        attributes.each do |k, _v|
-          if k.include?("password") && attributes[k].blank?
-            attributes.delete(k)
-          end
-        end
-
-        if @payment_method.update_attributes(attributes)
+        if @payment_method.update_attributes(params_for_update)
          invoke_callbacks(:update, :after)
          flash[:success] = Spree.t(:successfully_updated, resource: Spree.t(:payment_method))
          redirect_to edit_admin_payment_method_path(@payment_method)
@@ -100,6 +92,17 @@ module Spree

      private

+      def payment_method_params
+        params.require(:payment_method).permit(
+          :name, :description, :type, :active,
+          :environment, :display_on, :tag_list,
+          :preferred_enterprise_id, :preferred_server, :preferred_login, :preferred_password,
+          :calculator_type,
+          :preferred_signature, :preferred_solution, :preferred_landing_page, :preferred_logourl,
+          :preferred_test_mode, distributor_ids: []
+        )
+      end
+
      def force_environment
        params[:payment_method][:environment] = Rails.env unless spree_current_user.admin?
      end
@@ -156,6 +159,21 @@ module Spree
      def stripe_provider?(provider)
        provider.name.ends_with?("StripeConnect", "StripeSCA")
      end
+
+      # Merge payment method params with gateway params like :gateway_stripe_connect
+      # Also, remove password if present and blank
+      def params_for_update
+        gateway_params = params[ActiveModel::Naming.param_key(@payment_method)] || {}
+        params_for_update = payment_method_params.merge(gateway_params)
+
+        params_for_update.each do |key, _value|
+          if key.include?("password") && params_for_update[key].blank?
+            params_for_update.delete(key)
+          end
+        end
+
+        params_for_update
+      end
    end
  end
 end
--- a/spec/controllers/spree/admin/payment_methods_controller_spec.rb
+++ b/spec/controllers/spree/admin/payment_methods_controller_spec.rb
@@ -8,7 +8,7 @@ module Spree
  describe Admin::PaymentMethodsController, type: :controller do
    describe "#create and #update" do
      let!(:enterprise) { create(:distributor_enterprise, owner: user) }
-      let(:payment_method) { GatewayWithPassword.create!(name: "Bogus", preferred_password: "haxme", distributor_ids: [enterprise.id], preferred_enterprise_id: enterprise.id) }
+      let(:payment_method) { GatewayWithPassword.create!(name: "Bogus", preferred_password: "haxme", distributor_ids: [enterprise.id]) }
      let!(:user) { create(:user) }

      before { allow(controller).to receive(:spree_current_user) { user } }
@@ -32,7 +32,7 @@ module Spree

      it "can create a payment method of a valid type" do
        expect {
-          spree_post :create, payment_method: { name: "Test Method", type: "Spree::Gateway::Bogus", distributor_ids: [enterprise.id], preferred_enterprise_id: enterprise.id }
+          spree_post :create, payment_method: { name: "Test Method", type: "Spree::Gateway::Bogus", distributor_ids: [enterprise.id] }
        }.to change(Spree::PaymentMethod, :count).by(1)

        expect(response).to be_redirect
@@ -41,7 +41,7 @@ module Spree

      it "can not create a payment method of an invalid type" do
        expect {
-          spree_post :create, payment_method: { name: "Invalid Payment Method", type: "Spree::InvalidType", distributor_ids: [enterprise.id], preferred_enterprise_id: enterprise.id }
+          spree_post :create, payment_method: { name: "Invalid Payment Method", type: "Spree::InvalidType", distributor_ids: [enterprise.id] }
        }.to change(Spree::PaymentMethod, :count).by(0)

        expect(response).to be_redirect