diff options
author | Guillermo Iguaran <guilleiguaran@gmail.com> | 2012-07-19 08:43:58 -0500 |
---|---|---|
committer | Guillermo Iguaran <guilleiguaran@gmail.com> | 2012-09-16 23:58:20 -0500 |
commit | 8042835c157a4a7b567d23c7552a9b671f50328b (patch) | |
tree | b2fe5860131552b9be368d64c11d3d6897599ba1 /railties | |
parent | b4d9a586bc35e3e611ffdcdc17a3e7bdda6e3323 (diff) | |
download | rails-8042835c157a4a7b567d23c7552a9b671f50328b.tar.gz rails-8042835c157a4a7b567d23c7552a9b671f50328b.tar.bz2 rails-8042835c157a4a7b567d23c7552a9b671f50328b.zip |
Change scaffold_controller to generate and use private method to encapsulate permissible params
Diffstat (limited to 'railties')
4 files changed, 21 insertions, 8 deletions
diff --git a/railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb b/railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb index 0618b16984..f30ad6e20d 100644 --- a/railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb +++ b/railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb @@ -10,6 +10,8 @@ module Rails class_option :orm, :banner => "NAME", :type => :string, :required => true, :desc => "ORM to generate the controller for" + argument :attributes, :type => :array, :default => [], :banner => "field:type field:type" + def create_controller_files template "controller.rb", File.join('app/controllers', class_path, "#{controller_file_name}_controller.rb") end diff --git a/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb b/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb index b3e74f9b02..32f661278e 100644 --- a/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb +++ b/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb @@ -45,7 +45,7 @@ class <%= controller_class_name %>Controller < ApplicationController # POST <%= route_url %> # POST <%= route_url %>.json def create - @<%= singular_table_name %> = <%= orm_class.build(class_name, "params[:#{singular_table_name}]") %> + @<%= singular_table_name %> = <%= orm_class.build(class_name, "#{singular_table_name}_params") %> respond_to do |format| if @<%= orm_instance.save %> @@ -64,7 +64,7 @@ class <%= controller_class_name %>Controller < ApplicationController @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %> respond_to do |format| - if @<%= orm_instance.update_attributes("params[:#{singular_table_name}]") %> + if @<%= orm_instance.update_attributes("#{singular_table_name}_params") %> format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully updated.'" %> } format.json { head :no_content } else @@ -85,5 +85,13 @@ class <%= controller_class_name %>Controller < ApplicationController format.json { head :no_content } end end + + private + + # Use this method to whitelist the permissible parameters. Example: params.require(:person).permit(:name, :age) + # Also, you can specialize this method with per-user checking of permissible attributes. + def <%= "#{singular_table_name}_params" %> + params.require(<%= ":#{singular_table_name}" %>).permit(<%= attributes.map {|a| ":#{a.name}" }.sort.join(', ') %>) + end end <% end -%> diff --git a/railties/test/generators/scaffold_controller_generator_test.rb b/railties/test/generators/scaffold_controller_generator_test.rb index 1eea50b0d9..1e16f04d85 100644 --- a/railties/test/generators/scaffold_controller_generator_test.rb +++ b/railties/test/generators/scaffold_controller_generator_test.rb @@ -33,14 +33,14 @@ class ScaffoldControllerGeneratorTest < Rails::Generators::TestCase end assert_instance_method :create, content do |m| - assert_match(/@user = User\.new\(params\[:user\]\)/, m) + assert_match(/@user = User\.new\(user_params\)/, m) assert_match(/@user\.save/, m) assert_match(/@user\.errors/, m) end assert_instance_method :update, content do |m| assert_match(/@user = User\.find\(params\[:id\]\)/, m) - assert_match(/@user\.update_attributes\(params\[:user\]\)/, m) + assert_match(/@user\.update_attributes\(user_params\)/, m) assert_match(/@user\.errors/, m) end @@ -48,6 +48,9 @@ class ScaffoldControllerGeneratorTest < Rails::Generators::TestCase assert_match(/@user = User\.find\(params\[:id\]\)/, m) assert_match(/@user\.destroy/, m) end + + assert_match(/def user_params/, content) + assert_match(/params\.require\(:user\)\.permit\(:age, :name\)/, content) end end diff --git a/railties/test/generators/scaffold_generator_test.rb b/railties/test/generators/scaffold_generator_test.rb index 9b456c64ef..40c5188042 100644 --- a/railties/test/generators/scaffold_generator_test.rb +++ b/railties/test/generators/scaffold_generator_test.rb @@ -43,14 +43,14 @@ class ScaffoldGeneratorTest < Rails::Generators::TestCase end assert_instance_method :create, content do |m| - assert_match(/@product_line = ProductLine\.new\(params\[:product_line\]\)/, m) + assert_match(/@product_line = ProductLine\.new\(product_line_params\)/, m) assert_match(/@product_line\.save/, m) assert_match(/@product_line\.errors/, m) end assert_instance_method :update, content do |m| assert_match(/@product_line = ProductLine\.find\(params\[:id\]\)/, m) - assert_match(/@product_line\.update_attributes\(params\[:product_line\]\)/, m) + assert_match(/@product_line\.update_attributes\(product_line_params\)/, m) assert_match(/@product_line\.errors/, m) end @@ -166,14 +166,14 @@ class ScaffoldGeneratorTest < Rails::Generators::TestCase end assert_instance_method :create, content do |m| - assert_match(/@admin_role = Admin::Role\.new\(params\[:admin_role\]\)/, m) + assert_match(/@admin_role = Admin::Role\.new\(admin_role_params\)/, m) assert_match(/@admin_role\.save/, m) assert_match(/@admin_role\.errors/, m) end assert_instance_method :update, content do |m| assert_match(/@admin_role = Admin::Role\.find\(params\[:id\]\)/, m) - assert_match(/@admin_role\.update_attributes\(params\[:admin_role\]\)/, m) + assert_match(/@admin_role\.update_attributes\(admin_role_params\)/, m) assert_match(/@admin_role\.errors/, m) end |