Move sort order to a before filter, because this index method is waaaaay too big.

2011-03-27 18:52:43 -07:00 · 2011-03-27 18:52:43 -07:00 · ae106e71ae
commit ae106e71ae
parent 4d0338efa4
2 changed files with 37 additions and 23 deletions
--- a/app/controllers/aspects_controller.rb
+++ b/app/controllers/aspects_controller.rb
@ -4,6 +4,7 @@

 class AspectsController < ApplicationController
  before_filter :authenticate_user!
+  before_filter :save_sort_order, :only => :index

  respond_to :html
  respond_to :json, :only => [:show, :create]
@ -22,26 +23,20 @@ class AspectsController < ApplicationController
    if (current_user.getting_started == true || @aspects.blank?) && !request.format.mobile? && !request.format.js?
      redirect_to getting_started_path
    else
-      if params[:sort_order].blank? and session[:sort_order].blank?
-         session[:sort_order] = 'updated_at'
-      elsif not params[:sort_order].blank? and not session[:sort_order] == params[:sort_order]
-        session[:sort_order] = params[:sort_order] == 'created_at' ? 'created_at' : 'updated_at'
-      end
-      sort_order = session[:sort_order] == 'created_at' ? 'created_at' : 'updated_at'
      @aspect_ids = @aspects.map { |a| a.id }

      @posts = StatusMessage.joins(:aspects).where(:pending => false,
                                                   :aspects => {:id => @aspect_ids}).includes(:comments, :photos, :likes, :dislikes).select('DISTINCT `posts`.*').paginate(
-               :page => params[:page], :per_page => 15, :order => sort_order + ' DESC')
+        :page => params[:page], :per_page => 15, :order => session[:sort_order] + ' DESC')
      @fakes = PostsFake.new(@posts)

      @contact_count = current_user.contacts.count

      @aspect = :all unless params[:a_ids]
      @aspect ||= @aspects.first #used in mobile
+    end
+  end

-    end
-  end
  def create
    @aspect = current_user.aspects.create(params[:aspect])
    #hack, we don't know why mass assignment is not working
@ -146,4 +141,16 @@ class AspectsController < ApplicationController
    end
    @aspect.save
  end
+
+  protected
+
+  def save_sort_order
+    if params[:sort_order].present?
+      session[:sort_order] = (params[:sort_order] == 'created_at') ? 'created_at' : 'updated_at'
+    elsif session[:sort_order].blank?
+      session[:sort_order] = 'updated_at'
+    else
+      session[:sort_order] = (session[:sort_order] == 'created_at') ? 'created_at' : 'updated_at'
+    end
+  end
 end
--- a/spec/controllers/aspects_controller_spec.rb
+++ b/spec/controllers/aspects_controller_spec.rb
@ -126,6 +126,13 @@ describe AspectsController do
          get :index, :sort_order => "updated_at"
          assigns(:posts).should == @posts
        end
+
+        it "doesn't allow SQL injection" do
+          get :index, :sort_order => "\"; DROP TABLE users;"
+          assigns(:posts).should == @posts
+          get :index, :sort_order => "created_at"
+          assigns(:posts).should == @posts.reverse
+        end
      end

      it "returns all posts by default" do