diff --git a/app/controllers/admin/bulk_line_items_controller.rb b/app/controllers/admin/bulk_line_items_controller.rb index 86a2f539e20..dba7bd9befd 100644 --- a/app/controllers/admin/bulk_line_items_controller.rb +++ b/app/controllers/admin/bulk_line_items_controller.rb @@ -29,7 +29,7 @@ def update # See https://github.com/rails/rails/blob/3-2-stable/activerecord/lib/active_record/locking/pessimistic.rb#L69 # and https://www.postgresql.org/docs/current/static/sql-select.html#SQL-FOR-UPDATE-SHARE order.with_lock do - if @line_item.update_attributes(params[:line_item]) + if @line_item.update_attributes(line_item_params) order.update_distribution_charge! render nothing: true, status: :no_content # No Content, does not trigger ng resource auto-update else @@ -73,5 +73,9 @@ def authorize_update! def order @line_item.order end + + def line_item_params + params.require(:line_item).permit(:price, :quantity, :final_weight_volume) + end end end diff --git a/app/controllers/admin/enterprise_relationships_controller.rb b/app/controllers/admin/enterprise_relationships_controller.rb index 1996b4f73d7..c3e5dbe051f 100644 --- a/app/controllers/admin/enterprise_relationships_controller.rb +++ b/app/controllers/admin/enterprise_relationships_controller.rb @@ -25,7 +25,7 @@ def destroy private def enterprise_relationship_params - params.require(:enterprise_relationship).permit(:parent_id, :child_id, :permissions_list) + params.require(:enterprise_relationship).permit(:parent_id, :child_id, permissions_list: []) end end end diff --git a/app/controllers/admin/inventory_items_controller.rb b/app/controllers/admin/inventory_items_controller.rb index 4567c646320..10ffbf1abd8 100644 --- a/app/controllers/admin/inventory_items_controller.rb +++ b/app/controllers/admin/inventory_items_controller.rb @@ -14,14 +14,14 @@ class InventoryItemsController < ResourceController private - # Overriding Spree method to load data from params here so that + # Overriding resource_controller method to load data from params here so that # we can authorise #create using an object with required attributes def build_resource - if parent_data.present? - parent.public_send(controller_name).build - else - model_class.new(params[object_name]) # This line changed - end + model_class.new(permitted_resource_params) + end + + def permitted_resource_params + params.require(:inventory_item).permit(:enterprise_id, :variant_id, :visible) end end end diff --git a/app/controllers/admin/schedules_controller.rb b/app/controllers/admin/schedules_controller.rb index e71917044b1..8c8392372e6 100644 --- a/app/controllers/admin/schedules_controller.rb +++ b/app/controllers/admin/schedules_controller.rb @@ -93,5 +93,13 @@ def sync_subscriptions syncer = OpenFoodNetwork::ProxyOrderSyncer.new(subscriptions) syncer.sync! end + + def permitted_resource_params + params.require(:schedule).permit( + :id, + :name, + order_cycle_ids: [] + ) + end end end diff --git a/app/controllers/spree/admin/adjustments_controller.rb b/app/controllers/spree/admin/adjustments_controller.rb index 07a9207c14c..dc9596d2429 100644 --- a/app/controllers/spree/admin/adjustments_controller.rb +++ b/app/controllers/spree/admin/adjustments_controller.rb @@ -66,6 +66,12 @@ def set_included_tax def enable_updates @adjustment.close end + + def permitted_resource_params + params.require(:adjustment).permit( + :label, :amount, :included_tax + ) + end end end end diff --git a/app/controllers/spree/admin/images_controller.rb b/app/controllers/spree/admin/images_controller.rb index 2a46ebec92a..168f01466d0 100644 --- a/app/controllers/spree/admin/images_controller.rb +++ b/app/controllers/spree/admin/images_controller.rb @@ -34,6 +34,12 @@ def set_viewable def destroy_before @viewable = @image.viewable end + + def permitted_resource_params + params.require(:image).permit( + :attachment, :viewable_id, :alt + ) + end end end end diff --git a/app/controllers/spree/admin/payments_controller.rb b/app/controllers/spree/admin/payments_controller.rb index af100b7c808..7627e5c6a20 100644 --- a/app/controllers/spree/admin/payments_controller.rb +++ b/app/controllers/spree/admin/payments_controller.rb @@ -82,7 +82,7 @@ def object_params source_params = params.delete(:payment_source)[params[:payment][:payment_method_id]] params[:payment][:source_attributes] = source_params end - params[:payment] + params.require(:payment).permit(:amount, :payment_method_id, :source_attributes) end def load_data diff --git a/app/controllers/spree/admin/shipping_methods_controller.rb b/app/controllers/spree/admin/shipping_methods_controller.rb index 902a028b5ba..a8c5dbb1e13 100644 --- a/app/controllers/spree/admin/shipping_methods_controller.rb +++ b/app/controllers/spree/admin/shipping_methods_controller.rb @@ -81,6 +81,14 @@ def load_data @available_zones = Zone.order(:name) @calculators = ShippingMethod.calculators.sort_by(&:name) end + + def permitted_resource_params + params.require(:shipping_method).permit( + :name, :description, :display_on, + :require_ship_address, :tag_list, :calculator_type, + distributor_ids: [] + ) + end end end end diff --git a/app/controllers/spree/admin/states_controller.rb b/app/controllers/spree/admin/states_controller.rb index eebbee8d446..91b7672df24 100644 --- a/app/controllers/spree/admin/states_controller.rb +++ b/app/controllers/spree/admin/states_controller.rb @@ -24,6 +24,10 @@ def collection def load_data @countries = Country.order(:name) end + + def permitted_resource_params + params.require(:state).permit(:name, :abbr) + end end end end diff --git a/app/controllers/spree/admin/tax_categories_controller.rb b/app/controllers/spree/admin/tax_categories_controller.rb index 26cff4479f8..e4f7e4bff62 100644 --- a/app/controllers/spree/admin/tax_categories_controller.rb +++ b/app/controllers/spree/admin/tax_categories_controller.rb @@ -14,6 +14,12 @@ def destroy end end end + + private + + def permitted_resource_params + params.require(:tax_category).permit(:name, :description, :is_default) + end end end end diff --git a/app/controllers/spree/admin/tax_rates_controller.rb b/app/controllers/spree/admin/tax_rates_controller.rb index 89d90988498..0f828abfee9 100644 --- a/app/controllers/spree/admin/tax_rates_controller.rb +++ b/app/controllers/spree/admin/tax_rates_controller.rb @@ -21,6 +21,13 @@ def update_after def create_after Rails.cache.delete('vat_rates') end + + def permitted_resource_params + params.require(:tax_rate).permit( + :name, :amount, :included_in_price, :zone_id, + :tax_category_id, :show_rate_in_label, :calculator_type + ) + end end end end diff --git a/app/controllers/spree/admin/taxonomies_controller.rb b/app/controllers/spree/admin/taxonomies_controller.rb index cbbf85e2124..fb735ec4fa0 100644 --- a/app/controllers/spree/admin/taxonomies_controller.rb +++ b/app/controllers/spree/admin/taxonomies_controller.rb @@ -16,6 +16,10 @@ def location_after_save admin_taxonomies_url end end + + def permitted_resource_params + params.require(:taxonomy).permit(:name) + end end end end diff --git a/app/controllers/spree/admin/taxons_controller.rb b/app/controllers/spree/admin/taxons_controller.rb index ddc1b63c709..739b2df31af 100644 --- a/app/controllers/spree/admin/taxons_controller.rb +++ b/app/controllers/spree/admin/taxons_controller.rb @@ -89,7 +89,7 @@ def update @update_children = true end - if @taxon.update_attributes(params[:taxon]) + if @taxon.update_attributes(taxon_params) flash[:success] = flash_message_for(@taxon, :successfully_updated) end @@ -113,6 +113,15 @@ def destroy @taxon.destroy respond_with(@taxon) { |format| format.json { render json: '' } } end + + private + + def taxon_params + params.require(:taxon).permit( + :name, :parent_id, :position, :icon, :description, :permalink, + :taxonomy_id, :meta_description, :meta_keywords, :meta_title + ) + end end end end diff --git a/app/controllers/spree/admin/zones_controller.rb b/app/controllers/spree/admin/zones_controller.rb index 5b5b9d876b1..466729ed03b 100644 --- a/app/controllers/spree/admin/zones_controller.rb +++ b/app/controllers/spree/admin/zones_controller.rb @@ -21,6 +21,12 @@ def load_data @states = State.order(:name) @zones = Zone.order(:name) end + + def permitted_resource_params + params.require(:zone).permit( + :name, :description, :default_tax + ) + end end end end diff --git a/app/controllers/spree/credit_cards_controller.rb b/app/controllers/spree/credit_cards_controller.rb index 3381a240e81..91d5e2d223c 100644 --- a/app/controllers/spree/credit_cards_controller.rb +++ b/app/controllers/spree/credit_cards_controller.rb @@ -26,7 +26,7 @@ def update authorize! :update, @credit_card - if @credit_card.update_attributes(params[:credit_card]) + if @credit_card.update_attributes(credit_card_params) render json: @credit_card, serializer: ::Api::CreditCardSerializer, status: :ok else update_failed @@ -96,5 +96,9 @@ def build_card_from(attrs) def update_failed render json: { flash: { error: t(:card_could_not_be_updated) } }, status: :bad_request end + + def credit_card_params + params.require(:credit_card).permit(:is_default, :year, :month) + end end end diff --git a/app/controllers/spree/orders_controller.rb b/app/controllers/spree/orders_controller.rb index 09f93742478..9c3889c8dfe 100644 --- a/app/controllers/spree/orders_controller.rb +++ b/app/controllers/spree/orders_controller.rb @@ -74,7 +74,7 @@ def update redirect_to(main_app.root_path) && return end - if @order.update_attributes(params[:order]) + if @order.update_attributes(order_params) discard_empty_line_items with_open_adjustments { update_totals_and_taxes } @@ -224,5 +224,12 @@ def check_at_least_one_line_item redirect_to order_path(order_to_update) end end + + def order_params + params.require(:order).permit( + :distributor_id, :order_cycle_id, + line_items_attributes: [:id, :quantity] + ) + end end end