github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-21 18:12:32 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

All parameters for #create in PostsController pass through strong_parameters.

Browse Source 
We are now explicitly whitelisting all parameters for Post creation. A nice side-effect is that it cleans up the #create action in PostsController. We can now trust that all parameters entering PostCreator are of a safe scalar type.
This commit is contained in:
Ian Christian Myers
2013-06-07 00:52:03 -07:00
parent 875151f08a
commit b61e10f9ad
5 changed files with 48 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
app/controllers/posts_controller.rb
View File

@ -25,19 +25,7 @@ class PostsController < ApplicationController
end
def create
params.require(:post)
post_creator = PostCreator.new(current_user,
raw: params[:post][:raw],
topic_id: params[:post][:topic_id],
title: params[:title],
archetype: params[:archetype],
category: params[:post][:category],
target_usernames: params[:target_usernames],
reply_to_post_number: params[:post][:reply_to_post_number],
image_sizes: params[:image_sizes],
meta_data: params[:meta_data],
auto_close_days: params[:auto_close_days])
post_creator = PostCreator.new(current_user, create_params)
post = post_creator.create
if post_creator.errors.present?
@ -197,4 +185,23 @@ class PostsController < ApplicationController
guardian.ensure_can_see!(post)
post
end
private
def create_params
params.require(:raw)
params.permit(
:raw,
:topic_id,
:title,
:archetype,
:category,
:target_usernames,
:reply_to_post_number,
:image_sizes,
:auto_close_days
).tap do |whitelisted|
whitelisted[:meta_data] = params[:meta_data]
end
end
end