Prevent mass assignment with strong_parameters instead of attr_accessible
This commit is contained in:
Erik Michaels-Ober
parent
fe88a0fafb
commit
7004916347
1
Gemfile
1
Gemfile
|
|
@ -10,6 +10,7 @@ gem 'haml', '~> 3.2.0.alpha'
|
||||||
gem 'http_accept_language'
|
gem 'http_accept_language'
|
||||||
gem 'pg'
|
gem 'pg'
|
||||||
gem 'rails_admin'
|
gem 'rails_admin'
|
||||||
|
gem 'strong_parameters'
|
||||||
gem 'validates_formatting_of'
|
gem 'validates_formatting_of'
|
||||||
|
|
||||||
platforms :ruby_18 do
|
platforms :ruby_18 do
|
||||||
|
|
|
||||||
|
|
@ -142,6 +142,10 @@ GEM
|
||||||
rack (~> 1.0)
|
rack (~> 1.0)
|
||||||
tilt (~> 1.1, != 1.3.0)
|
tilt (~> 1.1, != 1.3.0)
|
||||||
sqlite3 (1.3.6)
|
sqlite3 (1.3.6)
|
||||||
|
strong_parameters (0.1.5)
|
||||||
|
actionpack (~> 3.1)
|
||||||
|
activemodel (~> 3.1)
|
||||||
|
railties (~> 3.1)
|
||||||
thor (0.16.0)
|
thor (0.16.0)
|
||||||
tilt (1.3.3)
|
tilt (1.3.3)
|
||||||
treetop (1.4.12)
|
treetop (1.4.12)
|
||||||
|
|
@ -176,6 +180,7 @@ DEPENDENCIES
|
||||||
sass-rails
|
sass-rails
|
||||||
simplecov
|
simplecov
|
||||||
sqlite3
|
sqlite3
|
||||||
|
strong_parameters
|
||||||
uglifier
|
uglifier
|
||||||
validates_formatting_of
|
validates_formatting_of
|
||||||
webmock
|
webmock
|
||||||
|
|
|
||||||
|
|
@ -18,4 +18,10 @@ class PasswordsController < Devise::PasswordsController
|
||||||
self.resource = resource_class.reset_password_by_token(resource_params)
|
self.resource = resource_class.reset_password_by_token(resource_params)
|
||||||
redirect_to(controller: "main", action: "index")
|
redirect_to(controller: "main", action: "index")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
|
def resource_params
|
||||||
|
params.require(:user).permit(:email, :password, :password_confirmation, :reset_password_token)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@ class RemindersController < ApplicationController
|
||||||
respond_to :json
|
respond_to :json
|
||||||
|
|
||||||
def create
|
def create
|
||||||
@reminder = Reminder.new(params[:reminder])
|
@reminder = Reminder.new(reminder_params)
|
||||||
@reminder.from_user = current_user
|
@reminder.from_user = current_user
|
||||||
if @reminder.save
|
if @reminder.save
|
||||||
ThingMailer.reminder(@reminder.thing).deliver
|
ThingMailer.reminder(@reminder.thing).deliver
|
||||||
|
|
@ -12,4 +12,10 @@ class RemindersController < ApplicationController
|
||||||
render(json: {errors: @reminder.errors}, status: 500)
|
render(json: {errors: @reminder.errors}, status: 500)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
|
def reminder_params
|
||||||
|
params.require(:reminder).permit(:thing_id, :to_user_id)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -12,10 +12,16 @@ class ThingsController < ApplicationController
|
||||||
|
|
||||||
def update
|
def update
|
||||||
@thing = Thing.find(params[:id])
|
@thing = Thing.find(params[:id])
|
||||||
if @thing.update_attributes(params[:thing])
|
if @thing.update_attributes(thing_params)
|
||||||
respond_with @thing
|
respond_with @thing
|
||||||
else
|
else
|
||||||
render(json: {errors: @thing.errors}, status: 500)
|
render(json: {errors: @thing.errors}, status: 500)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
|
def thing_params
|
||||||
|
params.require(:thing).permit(:name, :user_id)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -24,4 +24,14 @@ class UsersController < Devise::RegistrationsController
|
||||||
render(json: {errors: resource.errors}, status: 500)
|
render(json: {errors: resource.errors}, status: 500)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
|
def resource_params
|
||||||
|
params.require(:user).permit(:address_1, :address_2, :city,
|
||||||
|
:current_password, :email, :name,
|
||||||
|
:organization, :password,
|
||||||
|
:password_confirmation, :remember_me,
|
||||||
|
:sms_number, :state, :voice_number, :zip)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
class Reminder < ActiveRecord::Base
|
class Reminder < ActiveRecord::Base
|
||||||
attr_accessible :thing_id, :to_user_id
|
include ActiveModel::ForbiddenAttributesProtection
|
||||||
validates_presence_of :from_user, :to_user, :thing
|
validates_presence_of :from_user, :to_user, :thing
|
||||||
belongs_to :from_user, class_name: "User"
|
belongs_to :from_user, class_name: "User"
|
||||||
belongs_to :to_user, class_name: "User"
|
belongs_to :to_user, class_name: "User"
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
class Thing < ActiveRecord::Base
|
class Thing < ActiveRecord::Base
|
||||||
|
include ActiveModel::ForbiddenAttributesProtection
|
||||||
include Geokit::Geocoders
|
include Geokit::Geocoders
|
||||||
attr_accessible :name, :user_id
|
|
||||||
validates_uniqueness_of :city_id, allow_nil: true
|
validates_uniqueness_of :city_id, allow_nil: true
|
||||||
validates_presence_of :lat, :lng
|
validates_presence_of :lat, :lng
|
||||||
belongs_to :user
|
belongs_to :user
|
||||||
|
|
|
||||||
|
|
@ -1,12 +1,10 @@
|
||||||
class User < ActiveRecord::Base
|
class User < ActiveRecord::Base
|
||||||
|
include ActiveModel::ForbiddenAttributesProtection
|
||||||
# Include default devise modules. Others available are:
|
# Include default devise modules. Others available are:
|
||||||
# :token_authenticatable, :confirmable,
|
# :token_authenticatable, :confirmable,
|
||||||
# :lockable, :timeoutable and :omniauthable
|
# :lockable, :timeoutable and :omniauthable
|
||||||
devise :database_authenticatable, :registerable, :recoverable, :rememberable,
|
devise :database_authenticatable, :registerable, :recoverable, :rememberable,
|
||||||
:trackable, :validatable
|
:trackable, :validatable
|
||||||
attr_accessible :address_1, :address_2, :city, :email, :name, :organization,
|
|
||||||
:password, :password_confirmation, :remember_me, :sms_number, :state,
|
|
||||||
:voice_number, :zip
|
|
||||||
validates_formatting_of :email, using: :email
|
validates_formatting_of :email, using: :email
|
||||||
validates_formatting_of :sms_number, using: :us_phone, allow_blank: true
|
validates_formatting_of :sms_number, using: :us_phone, allow_blank: true
|
||||||
validates_formatting_of :voice_number, using: :us_phone, allow_blank: true
|
validates_formatting_of :voice_number, using: :us_phone, allow_blank: true
|
||||||
|
|
|
||||||
|
|
@ -51,7 +51,7 @@ module AdoptAThing
|
||||||
# This will create an empty whitelist of attributes available for mass-assignment for all models
|
# This will create an empty whitelist of attributes available for mass-assignment for all models
|
||||||
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
|
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
|
||||||
# parameters by using an attr_accessible or attr_protected declaration.
|
# parameters by using an attr_accessible or attr_protected declaration.
|
||||||
config.active_record.whitelist_attributes = true
|
# config.active_record.whitelist_attributes = true
|
||||||
|
|
||||||
# Enable the asset pipeline
|
# Enable the asset pipeline
|
||||||
config.assets.enabled = true
|
config.assets.enabled = true
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue