Raise error on unpermitted params.
Fail loudly if we forget to whitelist a param instead of silently ignoring it. misc models: convert to strong params. artist commentaries: convert to strong params. * Disallow changing or setting post_id to a nonexistent post. artists: convert to strong params. * Disallow setting `is_banned` in create/update actions. Changing it this way instead of with the ban/unban actions would leave the artist in a partially banned state. bans: convert to strong params. * Disallow changing the user_id after the ban has been created. comments: convert to strong params. favorite groups: convert to strong params. news updates: convert to strong params. post appeals: convert to strong params. post flags: convert to strong params. * Disallow users from setting the `is_deleted` / `is_resolved` flags. ip bans: convert to strong params. user feedbacks: convert to strong params. * Disallow users from setting `disable_dmail_notification` when creating feedbacks. * Disallow changing the user_id after the feedback has been created. notes: convert to strong params. wiki pages: convert to strong params. * Also fix non-Builders being able to delete wiki pages. saved searches: convert to strong params. pools: convert to strong params. * Disallow setting `post_count` or `is_deleted` in create/update actions. janitor trials: convert to strong params. post disapprovals: convert to strong params. * Factor out quick-mod bar to shared partial. * Fix quick-mod bar to use `Post#is_approvable?` to determine visibility of Approve button. dmail filters: convert to strong params. password resets: convert to strong params. user name change requests: convert to strong params. posts: convert to strong params. users: convert to strong params. * Disallow setting password_hash, last_logged_in_at, last_forum_read_at, has_mail, and dmail_filter_attributes[user_id]. * Remove initialize_default_image_size (dead code). uploads: convert to strong params. * Remove `initialize_status` because status already defaults to pending in the database. tag aliases/implications: convert to strong params. tags: convert to strong params. forum posts: convert to strong params. * Disallow changing the topic_id after creating the post. * Disallow setting is_deleted (destroy/undelete actions should be used instead). * Remove is_sticky / is_locked (nonexistent attributes). forum topics: convert to strong params. * merges https://github.com/evazion/danbooru/tree/wip-rails-5.1 * lock pg gem to 0.21 (1.0.0 is incompatible with rails 5.1.4) * switch to factorybot and change all references Co-authored-by: r888888888 <r888888888@gmail.com> Co-authored-by: evazion <noizave@gmail.com> add diffs
This commit is contained in:
r888888888
Albert Yi
@@ -1,12 +1,12 @@
|
||||
class ArtistsController < ApplicationController
|
||||
respond_to :html, :xml, :json
|
||||
before_filter :member_only, :except => [:index, :show, :show_or_new, :banned]
|
||||
before_filter :builder_only, :only => [:destroy]
|
||||
before_filter :admin_only, :only => [:ban, :unban]
|
||||
before_filter :load_artist, :only => [:ban, :unban, :show, :edit, :update, :destroy, :undelete]
|
||||
before_action :member_only, :except => [:index, :show, :show_or_new, :banned]
|
||||
before_action :builder_only, :only => [:destroy]
|
||||
before_action :admin_only, :only => [:ban, :unban]
|
||||
before_action :load_artist, :only => [:ban, :unban, :show, :edit, :update, :destroy, :undelete]
|
||||
|
||||
def new
|
||||
@artist = Artist.new_with_defaults(params)
|
||||
@artist = Artist.new_with_defaults(artist_params)
|
||||
respond_with(@artist)
|
||||
end
|
||||
|
||||
@@ -37,7 +37,6 @@ class ArtistsController < ApplicationController
|
||||
end
|
||||
|
||||
def index
|
||||
search_params = params[:search].present? ? params[:search] : params
|
||||
@artists = Artist.includes(:urls).search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
|
||||
respond_with(@artists) do |format|
|
||||
format.xml do
|
||||
@@ -56,12 +55,12 @@ class ArtistsController < ApplicationController
|
||||
end
|
||||
|
||||
def create
|
||||
@artist = Artist.create(params[:artist], :as => CurrentUser.role)
|
||||
@artist = Artist.create(artist_params)
|
||||
respond_with(@artist)
|
||||
end
|
||||
|
||||
def update
|
||||
@artist.update(params[:artist], :as => CurrentUser.role)
|
||||
@artist.update(artist_params)
|
||||
flash[:notice] = @artist.valid? ? "Artist updated" : @artist.errors.full_messages.join("; ")
|
||||
respond_with(@artist)
|
||||
end
|
||||
@@ -118,4 +117,17 @@ private
|
||||
def load_artist
|
||||
@artist = Artist.find(params[:id])
|
||||
end
|
||||
|
||||
def search_params
|
||||
sp = params.fetch(:search, {})
|
||||
sp[:name] = params[:name] if params[:name]
|
||||
sp.permit!
|
||||
end
|
||||
|
||||
def artist_params
|
||||
permitted_params = %i[name other_names other_names_comma group_name url_string notes]
|
||||
permitted_params << :is_active if CurrentUser.is_builder?
|
||||
|
||||
params.fetch(:artist, {}).permit(permitted_params)
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user