From aa895306bd23b70b73a3d9b66bd8f1bb944748a2 Mon Sep 17 00:00:00 2001 From: Till Breuer Date: Thu, 14 Nov 2013 11:57:16 +0100 Subject: [PATCH] Use strong parameters in menu item controllers --- app/controllers/query_menu_items_controller.rb | 6 +++++- app/controllers/wiki_menu_items_controller.rb | 17 +++++++++++------ app/models/menu_item.rb | 2 -- 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/app/controllers/query_menu_items_controller.rb b/app/controllers/query_menu_items_controller.rb index d8c2e5accb..b207d75f9b 100644 --- a/app/controllers/query_menu_items_controller.rb +++ b/app/controllers/query_menu_items_controller.rb @@ -40,7 +40,7 @@ class QueryMenuItemsController < ApplicationController def update @query_menu_item = MenuItems::QueryMenuItem.find params[:id] - if @query_menu_item.update_attributes params[:menu_items_query_menu_item] + if @query_menu_item.update_attributes query_menu_item_params flash[:notice] = l(:notice_successful_update) else flash[:error] = l(:error_menu_item_not_saved) @@ -90,4 +90,8 @@ class QueryMenuItemsController < ApplicationController super end + + def query_menu_item_params + params.require(:menu_items_query_menu_item).permit(:name, :title, :navigatable_id, :parent_id) + end end diff --git a/app/controllers/wiki_menu_items_controller.rb b/app/controllers/wiki_menu_items_controller.rb index fbf2205421..4aa80f4970 100644 --- a/app/controllers/wiki_menu_items_controller.rb +++ b/app/controllers/wiki_menu_items_controller.rb @@ -42,7 +42,7 @@ class WikiMenuItemsController < ApplicationController end def update - wiki_menu_setting = params[:menu_items_wiki_menu_item][:setting] + wiki_menu_setting = wiki_menu_item_params[:setting] parent_wiki_menu_item = params[:parent_wiki_menu_item] get_data_from_params(params) @@ -62,7 +62,7 @@ class WikiMenuItemsController < ApplicationController end else @wiki_menu_item.navigatable_id = @page.wiki.id - @wiki_menu_item.name = params[:menu_items_wiki_menu_item][:name] + @wiki_menu_item.name = wiki_menu_item_params[:name] @wiki_menu_item.title = @page_title if wiki_menu_setting == 'sub_item' @@ -104,6 +104,11 @@ class WikiMenuItemsController < ApplicationController private + def wiki_menu_item_params + @wiki_menu_item_params ||= params.require(:menu_items_wiki_menu_item).permit(:name, :title, :navigatable_id, :parent_id, :setting, :new_wiki_page, :index_page) + end + + def get_data_from_params(params) @page_title = params[:id] wiki_id = @project.wiki.id @@ -122,15 +127,15 @@ class WikiMenuItemsController < ApplicationController end def assign_wiki_menu_item_params(menu_item) - if params[:menu_items_wiki_menu_item][:new_wiki_page] == "1" + if wiki_menu_item_params[:new_wiki_page] == "1" menu_item.new_wiki_page = true - elsif params[:menu_items_wiki_menu_item][:new_wiki_page] == "0" + elsif wiki_menu_item_params[:new_wiki_page] == "0" menu_item.new_wiki_page = false end - if params[:menu_items_wiki_menu_item][:index_page] == "1" + if wiki_menu_item_params[:index_page] == "1" menu_item.index_page = true - elsif params[:menu_items_wiki_menu_item][:index_page] == "0" + elsif wiki_menu_item_params[:index_page] == "0" menu_item.index_page = false end end diff --git a/app/models/menu_item.rb b/app/models/menu_item.rb index 748ce20f15..6b6961d645 100644 --- a/app/models/menu_item.rb +++ b/app/models/menu_item.rb @@ -32,8 +32,6 @@ class MenuItem < ActiveRecord::Base serialize :options, Hash - attr_accessible :name, :title, :navigatable_id, :parent_id - validates_presence_of :title validates_format_of :title, :with => /\A[^,\.\/\?\;\|\:]*\z/ validates_uniqueness_of :title, :scope => [:navigatable_id, :type]