openfoodfoundation · sauloperez · Mar 25, 2020 · Feb 22, 2020 · Feb 22, 2020 · Feb 23, 2020
diff --git a/app/controllers/admin/bulk_line_items_controller.rb b/app/controllers/admin/bulk_line_items_controller.rb
@@ -29,7 +29,7 @@ def update
       # See https://github.com/rails/rails/blob/3-2-stable/activerecord/lib/active_record/locking/pessimistic.rb#L69
       # and https://www.postgresql.org/docs/current/static/sql-select.html#SQL-FOR-UPDATE-SHARE
       order.with_lock do
-        if @line_item.update_attributes(params[:line_item])
+        if @line_item.update_attributes(line_item_params)
           order.update_distribution_charge!
           render nothing: true, status: :no_content # No Content, does not trigger ng resource auto-update
         else
@@ -73,5 +73,9 @@ def authorize_update!
     def order
       @line_item.order
     end
+
+    def line_item_params
+      params.require(:line_item).permit(:price, :quantity, :final_weight_volume)
+    end
   end
 end
diff --git a/app/controllers/admin/enterprise_relationships_controller.rb b/app/controllers/admin/enterprise_relationships_controller.rb
@@ -25,7 +25,7 @@ def destroy
     private
 
     def enterprise_relationship_params
-      params.require(:enterprise_relationship).permit(:parent_id, :child_id, :permissions_list)
+      params.require(:enterprise_relationship).permit(:parent_id, :child_id, permissions_list: [])
     end
   end
 end
diff --git a/app/controllers/admin/inventory_items_controller.rb b/app/controllers/admin/inventory_items_controller.rb
@@ -14,14 +14,14 @@ class InventoryItemsController < ResourceController
 
     private
 
-    # Overriding Spree method to load data from params here so that
+    # Overriding resource_controller method to load data from params here so that
     # we can authorise #create using an object with required attributes
     def build_resource
-      if parent_data.present?
-        parent.public_send(controller_name).build
-      else
-        model_class.new(params[object_name]) # This line changed
-      end
+      model_class.new(permitted_resource_params)
+    end
+
+    def permitted_resource_params
+      params.require(:inventory_item).permit(:enterprise_id, :variant_id, :visible)
     end
   end
 end
diff --git a/app/controllers/admin/schedules_controller.rb b/app/controllers/admin/schedules_controller.rb
@@ -93,5 +93,13 @@ def sync_subscriptions
       syncer = OpenFoodNetwork::ProxyOrderSyncer.new(subscriptions)
       syncer.sync!
     end
+
+    def permitted_resource_params
+      params.require(:schedule).permit(
+        :id,
+        :name,
+        order_cycle_ids: []
+      )
+    end
   end
 end
diff --git a/app/controllers/spree/admin/adjustments_controller.rb b/app/controllers/spree/admin/adjustments_controller.rb
@@ -66,6 +66,12 @@ def set_included_tax
       def enable_updates
         @adjustment.close
       end
+
+      def permitted_resource_params
+        params.require(:adjustment).permit(
+          :label, :amount, :included_tax
+        )
+      end
     end
   end
 end
diff --git a/app/controllers/spree/admin/images_controller.rb b/app/controllers/spree/admin/images_controller.rb
@@ -34,6 +34,12 @@ def set_viewable
       def destroy_before
         @viewable = @image.viewable
       end
+
+      def permitted_resource_params
+        params.require(:image).permit(
+          :attachment, :viewable_id, :alt
+        )
+      end
     end
   end
 end
diff --git a/app/controllers/spree/admin/payments_controller.rb b/app/controllers/spree/admin/payments_controller.rb
@@ -82,7 +82,7 @@ def object_params
            source_params = params.delete(:payment_source)[params[:payment][:payment_method_id]]
           params[:payment][:source_attributes] = source_params
         end
-        params[:payment]
+        params.require(:payment).permit(:amount, :payment_method_id, :source_attributes)
       end
 
       def load_data

diff --git a/app/controllers/spree/admin/shipping_methods_controller.rb b/app/controllers/spree/admin/shipping_methods_controller.rb
@@ -81,6 +81,14 @@ def load_data
         @available_zones = Zone.order(:name)
         @calculators = ShippingMethod.calculators.sort_by(&:name)
       end
+
+      def permitted_resource_params
+        params.require(:shipping_method).permit(
+          :name, :description, :display_on,
+          :require_ship_address, :tag_list, :calculator_type,
+          distributor_ids: []
+        )
+      end
     end
   end
 end
diff --git a/app/controllers/spree/admin/states_controller.rb b/app/controllers/spree/admin/states_controller.rb
@@ -24,6 +24,10 @@ def collection
       def load_data
         @countries = Country.order(:name)
       end
+
+      def permitted_resource_params
+        params.require(:state).permit(:name, :abbr)
+      end
     end
   end
 end
diff --git a/app/controllers/spree/admin/tax_categories_controller.rb b/app/controllers/spree/admin/tax_categories_controller.rb
@@ -14,6 +14,12 @@ def destroy
           end
         end
       end
+
+      private
+
+      def permitted_resource_params
+        params.require(:tax_category).permit(:name, :description, :is_default)
+      end
     end
   end
 end
diff --git a/app/controllers/spree/admin/tax_rates_controller.rb b/app/controllers/spree/admin/tax_rates_controller.rb
@@ -21,6 +21,13 @@ def update_after
       def create_after
         Rails.cache.delete('vat_rates')
       end
+
+      def permitted_resource_params
+        params.require(:tax_rate).permit(
+          :name, :amount, :included_in_price, :zone_id,
+          :tax_category_id, :show_rate_in_label, :calculator_type
+        )
+      end
     end
   end
 end
diff --git a/app/controllers/spree/admin/taxonomies_controller.rb b/app/controllers/spree/admin/taxonomies_controller.rb
@@ -16,6 +16,10 @@ def location_after_save
           admin_taxonomies_url
         end
       end
+
+      def permitted_resource_params
+        params.require(:taxonomy).permit(:name)
+      end
     end
   end
 end
diff --git a/app/controllers/spree/admin/taxons_controller.rb b/app/controllers/spree/admin/taxons_controller.rb
@@ -89,7 +89,7 @@ def update
           @update_children = true
         end
 
-        if @taxon.update_attributes(params[:taxon])
+        if @taxon.update_attributes(taxon_params)
           flash[:success] = flash_message_for(@taxon, :successfully_updated)
         end
 
@@ -113,6 +113,15 @@ def destroy
         @taxon.destroy
         respond_with(@taxon) { |format| format.json { render json: '' } }
       end
+
+      private
+
+      def taxon_params
+        params.require(:taxon).permit(
+          :name, :parent_id, :position, :icon, :description, :permalink,
+          :taxonomy_id, :meta_description, :meta_keywords, :meta_title
+        )
+      end
     end
   end
 end
diff --git a/app/controllers/spree/admin/zones_controller.rb b/app/controllers/spree/admin/zones_controller.rb
@@ -21,6 +21,12 @@ def load_data
         @states = State.order(:name)
         @zones = Zone.order(:name)
       end
+
+      def permitted_resource_params
+        params.require(:zone).permit(
+          :name, :description, :default_tax
+        )
+      end
     end
   end
 end
diff --git a/app/controllers/spree/credit_cards_controller.rb b/app/controllers/spree/credit_cards_controller.rb
@@ -26,7 +26,7 @@ def update
 
       authorize! :update, @credit_card
 
-      if @credit_card.update_attributes(params[:credit_card])
+      if @credit_card.update_attributes(credit_card_params)
         render json: @credit_card, serializer: ::Api::CreditCardSerializer, status: :ok
       else
         update_failed
@@ -96,5 +96,9 @@ def build_card_from(attrs)
     def update_failed
       render json: { flash: { error: t(:card_could_not_be_updated) } }, status: :bad_request
     end
+
+    def credit_card_params
+      params.require(:credit_card).permit(:is_default, :year, :month)
+    end
   end
 end
diff --git a/app/controllers/spree/orders_controller.rb b/app/controllers/spree/orders_controller.rb
@@ -74,7 +74,7 @@ def update
         redirect_to(main_app.root_path) && return
       end
 
-      if @order.update_attributes(params[:order])
+      if @order.update_attributes(order_params)
         discard_empty_line_items
         with_open_adjustments { update_totals_and_taxes }
 
@@ -224,5 +224,12 @@ def check_at_least_one_line_item
         redirect_to order_path(order_to_update)
       end
     end
+
+    def order_params
+      params.require(:order).permit(
+        :distributor_id, :order_cycle_id,
+        line_items_attributes: [:id, :quantity]
+      )
+    end
   end
 end
-Original file line number
+Diff line change
@@ Expand Up / @@ -14,6 +14,12 @@ def destroy @@
               end
             end
           end
+          private
+          def permitted_resource_params
+            params.require(:tax_category).permit(:name, :description, :is_default)
+          end
         end
       end
     end