Remove protected_attributes gem

We do not enforce the rules, so removing it and switching the existing
annotations to strong_parameters does not make our situation worse.
This commit is contained in:
Patrick Gansterer 2019-10-29 15:16:43 +01:00
parent 9fc51bdce8
commit 39aff78f11
8 changed files with 32 additions and 29 deletions

View file

@ -42,7 +42,6 @@ gem 'rails-settings-cached', '= 0.4.3' # caching breaks tests until Rails 5 http
gem 'resque'
gem 'thin'
gem 'whenever', require: false # For defining cronjobs, see config/schedule.rb
gem 'protected_attributes', '= 1.1.0' # 1.1.0 until tests work work with higher versions
gem 'ruby-units'
gem 'attribute_normalizer'
gem 'ice_cube'

View file

@ -285,8 +285,6 @@ GEM
ttfunk (~> 1.5)
prawn-table (0.2.2)
prawn (>= 1.3.0, < 3.0.0)
protected_attributes (1.1.0)
activemodel (>= 4.0.1, < 5.0)
pry (0.12.2)
coderay (~> 1.1.0)
method_source (~> 0.9.0)
@ -549,7 +547,6 @@ DEPENDENCIES
mysql2 (~> 0.4.0)
prawn
prawn-table
protected_attributes (= 1.1.0)
pry-rescue
pry-stack_explorer
puma

View file

@ -26,7 +26,7 @@ class SuppliersController < ApplicationController
end
def create
@supplier = Supplier.new(params[:supplier])
@supplier = Supplier.new(supplier_params)
if @supplier.save
flash[:notice] = I18n.t('suppliers.create.notice')
redirect_to suppliers_path
@ -41,7 +41,7 @@ class SuppliersController < ApplicationController
def update
@supplier = Supplier.find(params[:id])
if @supplier.update_attributes(params[:supplier])
if @supplier.update_attributes(supplier_params)
flash[:notice] = I18n.t('suppliers.update.notice')
redirect_to @supplier
else
@ -64,4 +64,14 @@ class SuppliersController < ApplicationController
@shared_suppliers = SharedSupplier.all
end
private
def supplier_params
params
.require(:supplier)
.permit(:name, :address, :phone, :phone2, :fax, :email, :url, :contact_person, :customer_number,
:iban, :custom_fields, :delivery_days, :order_howto, :note,
:shared_supplier_id, :min_order_quantity, :shared_sync_method)
end
end

View file

@ -17,7 +17,7 @@ class TasksController < ApplicationController
end
def create
@task = Task.new(params[:task])
@task = Task.new(task_params, current_user_id: current_user.id)
if params[:periodic]
@task.periodic_task_group = PeriodicTaskGroup.new
end
@ -44,6 +44,7 @@ class TasksController < ApplicationController
task_group = @task.periodic_task_group
was_periodic = @task.periodic?
prev_due_date = @task.due_date
@task.current_user_id = current_user.id
@task.attributes=(params[:task])
if @task.errors.empty? && @task.save
task_group.update_tasks_including(@task, prev_due_date) if params[:periodic]
@ -111,4 +112,13 @@ class TasksController < ApplicationController
redirect_to tasks_url, :alert => I18n.t('tasks.error_not_found')
end
end
private
def task_params
params
.require(:task)
.permit(:name, :description, :duration, :user_list, :required_users, :workgroup, :due_date, :done)
end
end

View file

@ -10,10 +10,6 @@ class Supplier < ApplicationRecord
has_many :invoices
belongs_to :shared_supplier # for the sharedLists-App
include ActiveModel::MassAssignmentSecurity
attr_accessible :name, :address, :phone, :phone2, :fax, :email, :url, :contact_person, :customer_number, :iban, :custom_fields,
:delivery_days, :order_howto, :note, :shared_supplier_id, :min_order_quantity, :shared_sync_method
validates :name, :presence => true, :length => { :in => 4..30 }
validates :phone, :presence => true, :length => { :in => 8..25 }
validates :address, :presence => true, :length => { :in => 8..50 }

View file

@ -11,10 +11,6 @@ class Task < ApplicationRecord
attr_accessor :current_user_id
# form will send user in string. responsibilities will added later
include ActiveModel::MassAssignmentSecurity
attr_protected :users
validates :name, :presence => true, :length => { :minimum => 3 }
validates :required_users, :presence => true
validates_numericality_of :duration, :required_users, :only_integer => true, :greater_than => 0

View file

@ -1,4 +1,3 @@
= form.hidden_field :current_user_id
= form.input :name
= form.input :description, as: :text, input_html: {rows: 10}
= form.input :duration, :as => :select, :collection => 1..3

View file

@ -42,12 +42,8 @@ module Foodsoft
# like if you have constraints or database-specific column types
# config.active_record.schema_format = :sql
# Enforce whitelist mode for mass assignment.
# This will create an empty whitelist of attributes available for mass-assignment for all models
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
# parameters by using an attr_accessible or attr_protected declaration.
# TODO Re-activate this. Uncommenting this line will currently cause rspec to fail.
config.active_record.whitelist_attributes = false
# TODO Disable this. Uncommenting this line will currently cause rspec to fail.
config.action_controller.permit_all_parameters = true
# Enable the asset pipeline
config.assets.enabled = true