github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Enabled strong_parameters across all models/controllers.

Browse Source 
All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that.

The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method.

It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
This commit is contained in:
Ian Christian Myers
2013-06-06 00:14:32 -07:00
parent a3d62fdf69
commit 0d01c33482
34 changed files with 67 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
spec/controllers/topics_controller_spec.rb
View File

@ -13,7 +13,7 @@ describe TopicsController do
let(:topic) { p1.topic }
it "raises an error without postIds" do
lambda { xhr :post, :move_posts, topic_id: topic.id, title: 'blah' }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :post, :move_posts, topic_id: topic.id, title: 'blah' }.should raise_error(ActionController::ParameterMissing)
end
it "raises an error when the user doesn't have permission to move the posts" do
@ -106,7 +106,7 @@ describe TopicsController do
let(:topic) { p1.topic }
it "raises an error without destination_topic_id" do
lambda { xhr :post, :merge_topic, topic_id: topic.id }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :post, :merge_topic, topic_id: topic.id }.should raise_error(ActionController::ParameterMissing)
end
it "raises an error when the user doesn't have permission to merge" do
@ -144,11 +144,11 @@ describe TopicsController do
let(:raw) { 'this body is long enough to search for' }
it "requires a title" do
-> { xhr :get, :similar_to, raw: raw }.should raise_error(Discourse::InvalidParameters)
-> { xhr :get, :similar_to, raw: raw }.should raise_error(ActionController::ParameterMissing)
end
it "requires a raw body" do
-> { xhr :get, :similar_to, title: title }.should raise_error(Discourse::InvalidParameters)
-> { xhr :get, :similar_to, title: title }.should raise_error(ActionController::ParameterMissing)
end
it "raises an error if the title length is below the minimum" do
@ -218,11 +218,11 @@ describe TopicsController do
end
it 'requires the status parameter' do
lambda { xhr :put, :status, topic_id: @topic.id, enabled: true }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :put, :status, topic_id: @topic.id, enabled: true }.should raise_error(ActionController::ParameterMissing)
end
it 'requires the enabled parameter' do
lambda { xhr :put, :status, topic_id: @topic.id, status: 'visible' }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :put, :status, topic_id: @topic.id, status: 'visible' }.should raise_error(ActionController::ParameterMissing)
end
it 'raises an error with a status not in the whitelist' do
@ -526,7 +526,7 @@ describe TopicsController do
end
it 'requires an email parameter' do
lambda { xhr :post, :invite, topic_id: @topic.id }.should raise_error(Discourse::InvalidParameters)
lambda { xhr :post, :invite, topic_id: @topic.id }.should raise_error(ActionController::ParameterMissing)
end
describe 'without permission' do