nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use strong params in photos_controller

Browse source 
Add specs to check mass-assignment gotchas in PhotosController.
This commit is contained in:
James Fleming 2013-07-06 23:12:41 +02:00 committed by Jonne Haß
parent 3ba63197e8
commit d6ba6d1b02
2 changed files with 28 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
app/controllers/photos_controller.rb
View file

@ -41,7 +41,7 @@ class PhotosController < ApplicationController
def create def create
rescuing_photo_errors do rescuing_photo_errors do
if remotipart_submitted? if remotipart_submitted?
@photo = current_user.build_post(:photo, params[:photo]) @photo = current_user.build_post(:photo, photo_params)
if @photo.save if @photo.save
respond_to do |format| respond_to do |format|
format.json { render :json => {"success" => true, "data" => @photo.as_api_response(:backbone)} } format.json { render :json => {"success" => true, "data" => @photo.as_api_response(:backbone)} }
@ -114,7 +114,7 @@ class PhotosController < ApplicationController
def update def update
photo = current_user.photos.where(:id => params[:id]).first photo = current_user.photos.where(:id => params[:id]).first
if photo if photo
if current_user.update_post( photo, params[:photo] ) if current_user.update_post( photo, photo_params )
flash.now[:notice] = I18n.t 'photos.update.notice' flash.now[:notice] = I18n.t 'photos.update.notice'
respond_to do |format| respond_to do |format|
format.js{ render :json => photo, :status => 200 } format.js{ render :json => photo, :status => 200 }
@ -133,6 +133,10 @@ class PhotosController < ApplicationController
private private
def photo_params
params.require(:photo).permit(:public, :text, :pending, :user_file, :image_url, :aspect_ids, :set_profile_photo)
end
def file_handler(params) def file_handler(params)
# For XHR file uploads, request.params[:qqfile] will be the path to the temporary file # For XHR file uploads, request.params[:qqfile] will be the path to the temporary file
# For regular form uploads (such as those made by Opera), request.params[:qqfile] will be an UploadedFile which can be returned unaltered. # For regular form uploads (such as those made by Opera), request.params[:qqfile] will be an UploadedFile which can be returned unaltered.

23
spec/controllers/photos_controller_spec.rb
View file

@ -54,6 +54,20 @@ describe PhotosController do
}.should change(Photo, :count).by(1) }.should change(Photo, :count).by(1)
end end
it "doesn't allow mass assignment of person" do
new_user = FactoryGirl.create(:user)
@params[:photo][:author] = new_user
post :create, @params
Photo.last.author.should == alice.person
end
it "doesn't allow mass assignment of person_id" do
new_user = FactoryGirl.create(:user)
@params[:photo][:author_id] = new_user.id
post :create, @params
Photo.last.author.should == alice.person
end
it 'can set the photo as the profile photo' do it 'can set the photo as the profile photo' do
old_url = alice.person.profile.image_url old_url = alice.person.profile.image_url
@params[:photo][:set_profile_photo] = true @params[:photo][:set_profile_photo] = true
@ -137,7 +151,14 @@ describe PhotosController do
@alices_photo.reload.text.should == "now with lasers!" @alices_photo.reload.text.should == "now with lasers!"
end end
it "doesn't overwrite random attributes" do it "doesn't allow mass assignment of person" do
new_user = FactoryGirl.create(:user)
params = { :text => "now with lasers!", :author => new_user }
put :update, :id => @alices_photo.id, :photo => params
@alices_photo.reload.author.should == alice.person
end
it "doesn't allow mass assignment of person_id" do
new_user = FactoryGirl.create(:user) new_user = FactoryGirl.create(:user)
params = { :text => "now with lasers!", :author_id => new_user.id } params = { :text => "now with lasers!", :author_id => new_user.id }
put :update, :id => @alices_photo.id, :photo => params put :update, :id => @alices_photo.id, :photo => params