From c730958fe4bf9aaacdf83b5a3fd1b9c9080fa3fb Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com>
Date: Wed, 9 Oct 2019 18:35:10 +0100
Subject: [PATCH] Restrict search params passed to ProductsRenderer

---
 app/controllers/api/order_cycles_controller.rb | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/app/controllers/api/order_cycles_controller.rb b/app/controllers/api/order_cycles_controller.rb
index 084d54f44b..e61a27bf11 100644
--- a/app/controllers/api/order_cycles_controller.rb
+++ b/app/controllers/api/order_cycles_controller.rb
@@ -10,7 +10,7 @@ module Api
         distributor,
         order_cycle,
         customer,
-        params.slice(:q, :page, :per_page)
+        search_params
       ).products_json
 
       render json: products
@@ -40,6 +40,20 @@ module Api
 
     private
 
+    def search_params
+      permitted_search_params = params.slice :q, :page, :per_page
+
+      if permitted_search_params.key? :q
+        permitted_search_params[:q].slice!(*permitted_ransack_params)
+      end
+
+      permitted_search_params
+    end
+
+    def permitted_ransack_params
+      [:name_or_meta_keywords_or_supplier_name_cont, :properites_in_any, :primary_taxon_id_in_any]
+    end
+
     def distributor
       Enterprise.find_by_id(params[:distributor])
     end