Strong parameters for Aspect

2013-06-27 15:15:36 +02:00 · 2013-06-27 15:15:36 +02:00 · 938de466f8
commit 938de466f8
parent 2a57f4851a
3 changed files with 56 additions and 4 deletions
--- a/app/controllers/aspects_controller.rb
+++ b/app/controllers/aspects_controller.rb
@ -10,7 +10,7 @@ class AspectsController < ApplicationController
             :json
  def create
-    @aspect = current_user.aspects.build(params[:aspect])
+    @aspect = current_user.aspects.build(aspect_params)
    aspecting_person_id = params[:aspect][:person_id]
    if @aspect.save
@ -92,7 +92,7 @@ class AspectsController < ApplicationController
  def update
    @aspect = current_user.aspects.where(:id => params[:id]).first
-    if @aspect.update_attributes!(params[:aspect])
+    if @aspect.update_attributes!(aspect_params)
      flash[:notice] = I18n.t 'aspects.update.success', :name => @aspect.name
    else
      flash[:error] = I18n.t 'aspects.update.failure', :name => @aspect.name
@ -121,4 +121,8 @@ class AspectsController < ApplicationController
      @contact = current_user.share_with(@person, @aspect)
    end
  end
  def aspect_params
    params.require(:aspect).permit(:name, :contacts_visible, :order_id)
  end
 end
--- a/app/models/aspect.rb
+++ b/app/models/aspect.rb
@ -3,6 +3,8 @@
 #   the COPYRIGHT file.
 class Aspect < ActiveRecord::Base
  include ActiveModel::ForbiddenAttributesProtection
  belongs_to :user
  has_many :aspect_memberships, :dependent => :destroy
@ -16,8 +18,6 @@ class Aspect < ActiveRecord::Base
  validates_uniqueness_of :name, :scope => :user_id, :case_sensitive => false
  attr_accessible :name, :contacts_visible, :order_id
  before_validation do
    name.strip!
  end
--- a/spec/controllers/aspects_controller_spec.rb
+++ b/spec/controllers/aspects_controller_spec.rb
@ -47,6 +47,30 @@ describe AspectsController do
  end
  describe "#create" do
    context "strong parameters" do
      it "permits 'name', 'contacts_visible' and 'order_id'" do
        post :create, "aspect" => {
          "name" => "new aspect",
          "contacts_visible" => true,
          "order_id" => 1
        }
        aspect = alice.aspects.last
        aspect.name.should eq("new aspect")
        aspect.contacts_visible.should eq(true)
        aspect.order_id.should eq(1)
      end
      it "forbids other params" do
        post :create, "aspect" => {
          "name" => "new aspect",
          "user_id" => 123
        }
        aspect = Aspect.last
        aspect.name.should eq("new aspect")
        aspect.user_id.should_not eq(123)
      end
    end
    context "with valid params" do
      it "creates an aspect" do
        alice.aspects.count.should == 2
@ -97,6 +121,30 @@ describe AspectsController do
      @alices_aspect_1 = alice.aspects.create(:name => "Bruisers")
    end
    context "strong parameters" do
      it "permits 'name', 'contacts_visible' and 'order_id'" do
        put 'update', :id => @alices_aspect_1.id, "aspect" => {
          "name" => "new aspect",
          "contacts_visible" => true,
          "order_id" => 1
        }
        aspect = Aspect.find(@alices_aspect_1.id)
        aspect.name.should eq("new aspect")
        aspect.contacts_visible.should eq(true)
        aspect.order_id.should eq(1)
      end
      it "forbids other params" do
        put :update, :id => @alices_aspect_1.id, "aspect" => {
          "name" => "new aspect",
          "user_id" => 123
        }
        aspect = Aspect.find(@alices_aspect_1.id)
        aspect.name.should eq("new aspect")
        aspect.user_id.should_not eq(123)
      end
    end
    it "doesn't overwrite random attributes" do
      new_user = FactoryGirl.create :user
      params = {"name" => "Bruisers"}