[Spree 2.1] Implement Strong Parameters #4644
Comments
|
We need to see what we are going to do with this. Anyway, I am commenting here just because if we decide to implement Strong parameters we need to remember to remove the gem protected_attributes from the Gemfile in the upgrade branch 👍 |
|
I found that when spree added their solution for strong parameters a lot of the attr_accessible entries were removed from the models here: if we want to make the solution with protected_attributes work we need to re-add these attr_acessible entries to the model decorators on our side. I tried with one and it worked well. It should be straight forward to get these re-added. |
|
So the change here is that the whitelisting of which attributes can be updated has moved from models to controllers in Rails 4+. If we use If we use |
|
ok, I am not sure how many of those gems we would have to patch as we are talking about models but I think that sounds reasonable and we will have to go strong parameters sooner or later anyway. |
|
I am giving it a go by removing protected_attributes, attr_accessible and without_protection (see last 3 commits): |
|
We have 31 models with attr_accessible and 9 usages of without_protection. We should probably create an epic and one issue for each model, right? |
|
ok, so we started strong_params work with #4828 and #4827 We need to list the errors and controllers we need to work on and create issues for them. 4828 covers:
4827 covers:
The remaining errors in the build are coming from:
|
|
I think a lot of these will be really simple and quick, except |
|
The following callbacks in before_filter :check_can_change_sells, only: :update
before_filter :check_can_change_bulk_sells, only: :bulk_update
before_filter :check_can_change_owner, only: :update
before_filter :check_can_change_bulk_owner, only: :bulk_update
before_filter :check_can_change_managers, only: :update
before_filter :strip_new_properties, only: [:create, :update]Here's an example: def check_can_change_managers
unless ( spree_current_user == @enterprise.owner ) || spree_current_user.admin?
params[:enterprise].delete :user_ids
end
endIt would be great to refactor these callbacks whilst we're switching to strong_params, no? I'm wondering if we can do something like this (in a single method): def enterprise_params
permitted_params = [:list, :of, :uncontroversial, :params]
permitted_params << :controversial_param if spree_current_user.can? :admin, @enterprise
permitted_params << :controversial_param_2 if spree_current_user == @enterprise.owner
params.permit(permitted_params)
endAnd then 🔥 all 6 of those callbacks...? I guess this isn't a priority if #4827 is working... |
|
yeah, that would be great. I ended up going for the quick path in enterprises and it looks like its working, it's in #4827 So, this issue is finished with #4827, #4828, #4832 and #4833 We may find other specs broken because of missing permitted attributes but we can add them as we go fixing the upgrade build. |
|
I had a nagging thought at the back of my mind: what if we have an endpoint somewhere where in the test suite we only test some but not all of it's possible combinations of submitted params? 😬 |
|
yes, that will probably happen, we can only go ahead and test it to find out :-) |
|
This issue will be closed when the 8 PRs currently in code review are merged. |
|
Closing as all the related PRs have now been merged 🎉 |
Rails 4 introduces Strong Paramaters, and we need to adapt the codebase to use it.
Spree's implementation is here:
https://github.com/spree/spree/blob/4cc2c2967352d3fe7652bd873e492c074ffcc3da/core/lib/spree/core/controller_helpers/strong_parameters.rb
https://github.com/spree/spree/blob/4cc2c2967352d3fe7652bd873e492c074ffcc3da/core/lib/spree/permitted_attributes.rb
https://github.com/spree/spree/blob/4cc2c2967352d3fe7652bd873e492c074ffcc3da/core/spec/lib/spree/core/controller_helpers/strong_parameters_spec.rb
The text was updated successfully, but these errors were encountered: