Strong parameters for Aspect

2013-06-27 15:15:36 +02:00 · 2013-06-27 15:15:36 +02:00 · 938de466f8
commit 938de466f8
parent 2a57f4851a
3 changed files with 56 additions and 4 deletions
--- a/app/controllers/aspects_controller.rb
+++ b/app/controllers/aspects_controller.rb
@ -10,7 +10,7 @@ class AspectsController < ApplicationController
             :json

  def create
-    @aspect = current_user.aspects.build(params[:aspect])
+    @aspect = current_user.aspects.build(aspect_params)
    aspecting_person_id = params[:aspect][:person_id]

    if @aspect.save
@ -92,7 +92,7 @@ class AspectsController < ApplicationController
  def update
    @aspect = current_user.aspects.where(:id => params[:id]).first

-    if @aspect.update_attributes!(params[:aspect])
+    if @aspect.update_attributes!(aspect_params)
      flash[:notice] = I18n.t 'aspects.update.success', :name => @aspect.name
    else
      flash[:error] = I18n.t 'aspects.update.failure', :name => @aspect.name
@ -121,4 +121,8 @@ class AspectsController < ApplicationController
      @contact = current_user.share_with(@person, @aspect)
    end
  end
+
+  def aspect_params
+    params.require(:aspect).permit(:name, :contacts_visible, :order_id)
+  end
 end
--- a/app/models/aspect.rb
+++ b/app/models/aspect.rb
@ -3,6 +3,8 @@
 #   the COPYRIGHT file.

 class Aspect < ActiveRecord::Base
+  include ActiveModel::ForbiddenAttributesProtection
+  
  belongs_to :user

  has_many :aspect_memberships, :dependent => :destroy
@ -16,8 +18,6 @@ class Aspect < ActiveRecord::Base

  validates_uniqueness_of :name, :scope => :user_id, :case_sensitive => false

-  attr_accessible :name, :contacts_visible, :order_id
-
  before_validation do
    name.strip!
  end
--- a/spec/controllers/aspects_controller_spec.rb
+++ b/spec/controllers/aspects_controller_spec.rb
@ -47,6 +47,30 @@ describe AspectsController do
  end

  describe "#create" do
+    context "strong parameters" do
+      it "permits 'name', 'contacts_visible' and 'order_id'" do
+        post :create, "aspect" => {
+          "name" => "new aspect",
+          "contacts_visible" => true,
+          "order_id" => 1
+        }
+        aspect = alice.aspects.last
+        aspect.name.should eq("new aspect")
+        aspect.contacts_visible.should eq(true)
+        aspect.order_id.should eq(1)
+      end
+      
+      it "forbids other params" do
+        post :create, "aspect" => {
+          "name" => "new aspect",
+          "user_id" => 123
+        }
+        aspect = Aspect.last
+        aspect.name.should eq("new aspect")
+        aspect.user_id.should_not eq(123)
+      end
+    end
+
    context "with valid params" do
      it "creates an aspect" do
        alice.aspects.count.should == 2
@ -97,6 +121,30 @@ describe AspectsController do
      @alices_aspect_1 = alice.aspects.create(:name => "Bruisers")
    end

+    context "strong parameters" do
+      it "permits 'name', 'contacts_visible' and 'order_id'" do
+        put 'update', :id => @alices_aspect_1.id, "aspect" => {
+          "name" => "new aspect",
+          "contacts_visible" => true,
+          "order_id" => 1
+        }
+        aspect = Aspect.find(@alices_aspect_1.id)
+        aspect.name.should eq("new aspect")
+        aspect.contacts_visible.should eq(true)
+        aspect.order_id.should eq(1)
+      end
+      
+      it "forbids other params" do
+        put :update, :id => @alices_aspect_1.id, "aspect" => {
+          "name" => "new aspect",
+          "user_id" => 123
+        }
+        aspect = Aspect.find(@alices_aspect_1.id)
+        aspect.name.should eq("new aspect")
+        aspect.user_id.should_not eq(123)
+      end
+    end
+    
    it "doesn't overwrite random attributes" do
      new_user = FactoryGirl.create :user
      params = {"name" => "Bruisers"}