Permit parameters before using them

ActionController::Parameters no longer inherits from HashWithIndifferentAccess
2017-08-06 00:57:41 +02:00 · 2017-08-06 00:57:41 +02:00 · 2b911b0131
commit 2b911b0131
parent 8a5752dd6c
5 changed files with 27 additions and 24 deletions
--- a/app/controllers/api/openid_connect/authorizations_controller.rb
+++ b/app/controllers/api/openid_connect/authorizations_controller.rb
@ -205,7 +205,7 @@ module Api
        if prompt && prompt.include?("none")
          handle_prompt_none
        elsif prompt && prompt.include?("login")
-          new_params = params.except("controller", "action").merge(prompt: prompt.remove("login"))
+          new_params = params.except("controller", "action").permit!.to_h.merge(prompt: prompt.remove("login"))
          reauthenticate(new_params)
        else
          authenticate_user!
--- a/app/controllers/invitations_controller.rb
+++ b/app/controllers/invitations_controller.rb
@ -71,6 +71,6 @@ class InvitationsController < ApplicationController
  end

  def inviter_params
-    params.require(:email_inviter).permit(:message, :locale, :emails)
+    params.require(:email_inviter).permit(:message, :locale, :emails).to_h
  end
 end
--- a/app/controllers/photos_controller.rb
+++ b/app/controllers/photos_controller.rb
@ -125,27 +125,28 @@ class PhotosController < ApplicationController
  end

  def legacy_create
-    if params[:photo][:aspect_ids] == "all"
-      params[:photo][:aspect_ids] = current_user.aspects.collect { |x| x.id }
-    elsif params[:photo][:aspect_ids].is_a?(Hash)
-      params[:photo][:aspect_ids] = params[:photo][:aspect_ids].values
+    photo_params = params.require(:photo).permit(:pending, :set_profile_photo, aspect_ids: [])
+    if photo_params[:aspect_ids] == "all"
+      photo_params[:aspect_ids] = current_user.aspects.map(&:id)
+    elsif photo_params[:aspect_ids].is_a?(Hash)
+      photo_params[:aspect_ids] = params[:photo][:aspect_ids].values
    end

-    params[:photo][:user_file] = file_handler(params)
+    photo_params[:user_file] = file_handler(params)

-    @photo = current_user.build_post(:photo, params[:photo])
+    @photo = current_user.build_post(:photo, photo_params)

    if @photo.save

      unless @photo.pending
        unless @photo.public?
-          aspects = current_user.aspects_from_ids(params[:photo][:aspect_ids])
+          aspects = current_user.aspects_from_ids(photo_params[:aspect_ids])
          current_user.add_to_streams(@photo, aspects)
        end
-        current_user.dispatch_post(@photo, :to => params[:photo][:aspect_ids])
+        current_user.dispatch_post(@photo, to: photo_params[:aspect_ids])
      end

-      if params[:photo][:set_profile_photo]
+      if photo_params[:set_profile_photo]
        profile_params = {:image_url => @photo.url(:thumb_large),
                          :image_url_medium => @photo.url(:thumb_medium),
                          :image_url_small => @photo.url(:thumb_small)}
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@ -77,6 +77,6 @@ class ProfilesController < ApplicationController
  def profile_params
    params.require(:profile).permit(:first_name, :last_name, :gender, :bio,
                                    :location, :searchable, :tag_string, :nsfw,
-                                    :public_details, date: %i(year month day)) || {}
+                                    :public_details, date: %i[year month day]).to_h || {}
  end
 end
--- a/app/controllers/status_messages_controller.rb
+++ b/app/controllers/status_messages_controller.rb
@ -47,12 +47,7 @@ class StatusMessagesController < ApplicationController
  end

  def create
-    normalized_params = params.merge(
-      services:   normalize_services,
-      aspect_ids: normalize_aspect_ids,
-      public:     normalize_public_flag
-    )
-    status_message = StatusMessageCreationService.new(current_user).create(normalized_params)
+    status_message = StatusMessageCreationService.new(current_user).create(normalize_params)
    respond_to do |format|
      format.html { redirect_to :back }
      format.mobile { redirect_to stream_path }
@ -89,8 +84,19 @@ class StatusMessagesController < ApplicationController
    request.env["HTTP_REFERER"].include?("/people/" + current_user.guid)
  end

-  def normalize_services
-    [*params[:services]].compact
+  def normalize_params
+    params.permit(
+      :location_address,
+      :location_coords,
+      :poll_question,
+      status_message: %i[text provider_display_name],
+      poll_answers:   []
+    ).to_h.merge(
+      services:   [*params[:services]].compact,
+      aspect_ids: normalize_aspect_ids,
+      public:     [*params[:aspect_ids]].first == "public",
+      photos:     [*params[:photos]].compact
+    )
  end

  def normalize_aspect_ids
@ -102,10 +108,6 @@ class StatusMessagesController < ApplicationController
    end
  end

-  def normalize_public_flag
-    [*params[:aspect_ids]].first == "public"
-  end
-
  def remove_getting_started
    current_user.disable_getting_started
  end