github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-02 04:08:41 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Enabled strong_parameters across all models/controllers.

Browse Source 
All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that.

The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method.

It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
This commit is contained in:
Ian Christian Myers
2013-06-06 00:14:32 -07:00
parent a3d62fdf69
commit 0d01c33482
34 changed files with 67 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
spec/controllers/admin/impersonate_controller_spec.rb
View File

@ -21,7 +21,7 @@ describe Admin::ImpersonateController do
context 'create' do
it 'requires a username_or_email parameter' do
lambda { xhr :put, :create }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :put, :create }.should raise_error(ActionController::ParameterMissing)
end
it 'returns 404 when that user does not exist' do

2
spec/controllers/admin/site_settings_controller_spec.rb
View File

@ -26,7 +26,7 @@ describe Admin::SiteSettingsController do
context 'update' do
it 'requires a value parameter' do
lambda { xhr :put, :update, id: 'test_setting' }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :put, :update, id: 'test_setting' }.should raise_error(ActionController::ParameterMissing)
end
it 'sets the value when the param is present' do

10
spec/controllers/clicks_controller_spec.rb
View File

@ -6,7 +6,7 @@ describe ClicksController do
context 'missing params' do
it 'raises an error without the url param' do
lambda { xhr :get, :track, post_id: 123 }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :get, :track, post_id: 123 }.should raise_error(ActionController::ParameterMissing)
end
it "redirects to the url even without the topic_id or post_id params" do
@ -24,7 +24,7 @@ describe ClicksController do
context 'with a post_id' do
it 'calls create_from' do
TopicLinkClick.expects(:create_from).with(url: 'http://discourse.org', post_id: 123, ip: '192.168.0.1')
TopicLinkClick.expects(:create_from).with('url' => 'http://discourse.org', 'post_id' => '123', 'ip' => '192.168.0.1')
xhr :get, :track, url: 'http://discourse.org', post_id: 123
response.should redirect_to("http://discourse.org")
end
@ -36,13 +36,13 @@ describe ClicksController do
end
it 'will pass the user_id to create_from' do
TopicLinkClick.expects(:create_from).with(url: 'http://discourse.org', post_id: 123, ip: '192.168.0.1')
TopicLinkClick.expects(:create_from).with('url' => 'http://discourse.org', 'post_id' => '123', 'ip' => '192.168.0.1')
xhr :get, :track, url: 'http://discourse.org', post_id: 123
response.should redirect_to("http://discourse.org")
end
it "doesn't redirect with the redirect=false param" do
TopicLinkClick.expects(:create_from).with(url: 'http://discourse.org', post_id: 123, ip: '192.168.0.1')
TopicLinkClick.expects(:create_from).with('url' => 'http://discourse.org', 'post_id' => '123', 'ip' => '192.168.0.1', 'redirect' => 'false')
xhr :get, :track, url: 'http://discourse.org', post_id: 123, redirect: 'false'
response.should_not be_redirect
end
@ -51,7 +51,7 @@ describe ClicksController do
context 'with a topic_id' do
it 'calls create_from' do
TopicLinkClick.expects(:create_from).with(url: 'http://discourse.org', topic_id: 789, ip: '192.168.0.1')
TopicLinkClick.expects(:create_from).with('url' => 'http://discourse.org', 'topic_id' => '789', 'ip' => '192.168.0.1')
xhr :get, :track, url: 'http://discourse.org', topic_id: 789
response.should redirect_to("http://discourse.org")
end

6
spec/controllers/posts_controller_spec.rb
View File

@ -141,7 +141,7 @@ describe PostsController do
let!(:post2) { Fabricate(:post, topic_id: post1.topic_id, user: poster, post_number: 3) }
it "raises invalid parameters no post_ids" do
lambda { xhr :delete, :destroy_many }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :delete, :destroy_many }.should raise_error(ActionController::ParameterMissing)
end
it "raises invalid parameters with missing ids" do
@ -193,7 +193,7 @@ describe PostsController do
update_params.delete(:post)
lambda {
xhr :put, :update, update_params
}.should raise_error(Discourse::InvalidParameters)
}.should raise_error(ActionController::ParameterMissing)
end
it "raises an error when the user doesn't have permission to see the post" do
@ -258,7 +258,7 @@ describe PostsController do
let(:new_post) { Fabricate.build(:post, user: user) }
it "raises an exception without a post parameter" do
lambda { xhr :post, :create }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :post, :create }.should raise_error(ActionController::ParameterMissing)
end
it 'calls the post creator' do

4
spec/controllers/session_controller_spec.rb
View File

@ -13,7 +13,7 @@ describe SessionController do
end
it "raises an error when the login isn't present" do
lambda { xhr :post, :create }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :post, :create }.should raise_error(ActionController::ParameterMissing)
end
describe 'invalid password' do
@ -114,7 +114,7 @@ describe SessionController do
describe '.forgot_password' do
it 'raises an error without a username parameter' do
lambda { xhr :post, :forgot_password }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :post, :forgot_password }.should raise_error(ActionController::ParameterMissing)
end
context 'for a non existant username' do

14
spec/controllers/topics_controller_spec.rb
View File

@ -13,7 +13,7 @@ describe TopicsController do
let(:topic) { p1.topic }
it "raises an error without postIds" do
lambda { xhr :post, :move_posts, topic_id: topic.id, title: 'blah' }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :post, :move_posts, topic_id: topic.id, title: 'blah' }.should raise_error(ActionController::ParameterMissing)
end
it "raises an error when the user doesn't have permission to move the posts" do
@ -106,7 +106,7 @@ describe TopicsController do
let(:topic) { p1.topic }
it "raises an error without destination_topic_id" do
lambda { xhr :post, :merge_topic, topic_id: topic.id }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :post, :merge_topic, topic_id: topic.id }.should raise_error(ActionController::ParameterMissing)
end
it "raises an error when the user doesn't have permission to merge" do
@ -144,11 +144,11 @@ describe TopicsController do
let(:raw) { 'this body is long enough to search for' }
it "requires a title" do
-> { xhr :get, :similar_to, raw: raw }.should raise_error(Discourse::InvalidParameters)
-> { xhr :get, :similar_to, raw: raw }.should raise_error(ActionController::ParameterMissing)
end
it "requires a raw body" do
-> { xhr :get, :similar_to, title: title }.should raise_error(Discourse::InvalidParameters)
-> { xhr :get, :similar_to, title: title }.should raise_error(ActionController::ParameterMissing)
end
it "raises an error if the title length is below the minimum" do
@ -218,11 +218,11 @@ describe TopicsController do
end
it 'requires the status parameter' do
lambda { xhr :put, :status, topic_id: @topic.id, enabled: true }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :put, :status, topic_id: @topic.id, enabled: true }.should raise_error(ActionController::ParameterMissing)
end
it 'requires the enabled parameter' do
lambda { xhr :put, :status, topic_id: @topic.id, status: 'visible' }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :put, :status, topic_id: @topic.id, status: 'visible' }.should raise_error(ActionController::ParameterMissing)
end
it 'raises an error with a status not in the whitelist' do
@ -526,7 +526,7 @@ describe TopicsController do
end
it 'requires an email parameter' do
lambda { xhr :post, :invite, topic_id: @topic.id }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :post, :invite, topic_id: @topic.id }.should raise_error(ActionController::ParameterMissing)
end
describe 'without permission' do

6
spec/controllers/users_controller_spec.rb
View File

@ -178,7 +178,7 @@ describe UsersController do
let!(:user) { log_in }
it 'raises an error without an email parameter' do
lambda { xhr :put, :change_email, username: user.username }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :put, :change_email, username: user.username }.should raise_error(ActionController::ParameterMissing)
end
it "raises an error if you can't edit the user" do
@ -489,7 +489,7 @@ describe UsersController do
let(:new_username) { "#{user.username}1234" }
it 'raises an error without a new_username param' do
lambda { xhr :put, :username, username: user.username }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :put, :username, username: user.username }.should raise_error(ActionController::ParameterMissing)
end
it 'raises an error when you don\'t have permission to change the user' do
@ -518,7 +518,7 @@ describe UsersController do
end
it 'raises an error without a username parameter' do
lambda { xhr :get, :check_username }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :get, :check_username }.should raise_error(ActionController::ParameterMissing)
end
shared_examples_for 'when username is unavailable locally' do