From de653854e58fe20239df67a0bd5db0576d7ddf89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ug=CC=A7is=20Ozols?= Date: Mon, 27 Jan 2014 11:41:56 +0200 Subject: Use strong parameters. --- .../refinery/blog/admin/categories_controller.rb | 5 +++++ .../refinery/blog/admin/posts_controller.rb | 15 +++++++++++--- app/controllers/refinery/blog/blog_controller.rb | 2 +- app/controllers/refinery/blog/posts_controller.rb | 10 ++++++++-- app/helpers/refinery/blog/controller_helper.rb | 9 ++++----- app/models/refinery/blog/categorization.rb | 1 - app/models/refinery/blog/category.rb | 9 +-------- app/models/refinery/blog/comment.rb | 2 -- app/models/refinery/blog/post.rb | 23 +++++----------------- 9 files changed, 36 insertions(+), 40 deletions(-) (limited to 'app') diff --git a/app/controllers/refinery/blog/admin/categories_controller.rb b/app/controllers/refinery/blog/admin/categories_controller.rb index 0a3b7b9..e9f2f89 100644 --- a/app/controllers/refinery/blog/admin/categories_controller.rb +++ b/app/controllers/refinery/blog/admin/categories_controller.rb @@ -6,6 +6,11 @@ module Refinery crudify :'refinery/blog/category', :order => 'title ASC' + private + + def category_params + params.require(:category).permit(:title) + end end end end diff --git a/app/controllers/refinery/blog/admin/posts_controller.rb b/app/controllers/refinery/blog/admin/posts_controller.rb index 81bdc81..d01bba9 100644 --- a/app/controllers/refinery/blog/admin/posts_controller.rb +++ b/app/controllers/refinery/blog/admin/posts_controller.rb @@ -38,12 +38,12 @@ module Refinery def create # if the position field exists, set this object as last object, given the conditions of this class. if Refinery::Blog::Post.column_names.include?("position") - params[:post].merge!({ + post_params.merge!({ :position => ((Refinery::Blog::Post.maximum(:position, :conditions => "")||-1) + 1) }) end - if (@post = Refinery::Blog::Post.create(params[:post])).valid? + if (@post = Refinery::Blog::Post.create(post_params)).valid? (request.xhr? ? flash.now : flash).notice = t( 'refinery.crudify.created', :what => "'#{@post.title}'" @@ -75,7 +75,16 @@ module Refinery end end + private + + def post_params + params.require(:post).permit(:title, :body, :custom_teaser, :tag_list, + :draft, :published_at, :custom_url, :user_id, :browser_title, + :meta_description, :source_url, :source_url_title, :category_ids => []) + end + protected + def find_post @post = Refinery::Blog::Post.find_by_slug_or_id(params[:id]) end @@ -85,7 +94,7 @@ module Refinery end def check_category_ids - params[:post][:category_ids] ||= [] + post_params[:category_ids] ||= [] end end end diff --git a/app/controllers/refinery/blog/blog_controller.rb b/app/controllers/refinery/blog/blog_controller.rb index 6327199..0c50c95 100644 --- a/app/controllers/refinery/blog/blog_controller.rb +++ b/app/controllers/refinery/blog/blog_controller.rb @@ -10,7 +10,7 @@ module Refinery protected def find_page - @page = Refinery::Page.find_by_link_url(Refinery::Blog.page_url) + @page = Refinery::Page.find_by(:link_url => Refinery::Blog.page_url) end end end diff --git a/app/controllers/refinery/blog/posts_controller.rb b/app/controllers/refinery/blog/posts_controller.rb index 20ac12b..1cc9698 100644 --- a/app/controllers/refinery/blog/posts_controller.rb +++ b/app/controllers/refinery/blog/posts_controller.rb @@ -2,7 +2,7 @@ module Refinery module Blog class PostsController < BlogController - before_filter :paginate_all_blog_posts, :except => [:archive] + before_filter :find_all_blog_posts, :except => [:archive] before_filter :find_blog_post, :only => [:show, :comment, :update_nav] before_filter :find_tags @@ -37,7 +37,7 @@ module Refinery end def comment - @comment = @post.comments.create(params[:comment]) + @comment = @post.comments.create(comment_params) if @comment.valid? if Comment::Moderation.enabled? or @comment.ham? begin @@ -81,6 +81,12 @@ module Refinery @posts = Post.live.tagged_with(@tag_name).page(params[:page]) end + private + + def comment_params + params.require(:comment).permit(:name, :email, :message) + end + protected def canonical? Refinery::I18n.default_frontend_locale != Refinery::I18n.current_frontend_locale diff --git a/app/helpers/refinery/blog/controller_helper.rb b/app/helpers/refinery/blog/controller_helper.rb index 4bec046..a300148 100644 --- a/app/helpers/refinery/blog/controller_helper.rb +++ b/app/helpers/refinery/blog/controller_helper.rb @@ -5,10 +5,9 @@ module Refinery protected def find_blog_post - @post = all_blog_posts.friendly.find(params[:id]) - unless @post.try(:live?) - if refinery_user? && current_refinery_user.authorized_plugins.include?("refinerycms_blog") - @post = Post.friendly.find(params[:id]) + unless (@post = Refinery::Blog::Post.with_globalize.friendly.find(params[:id])).try(:live?) + if refinery_user? and current_refinery_user.authorized_plugins.include?("refinerycms_blog") + @post = Refinery::Blog::Post.friendly.find(params[:id]) else error_404 end @@ -16,7 +15,7 @@ module Refinery end def find_all_blog_posts - @posts = all_blog_posts.live + @posts = Refinery::Blog::Post.live.includes(:comments, :categories).with_globalize.page(params[:page]) end def find_tags diff --git a/app/models/refinery/blog/categorization.rb b/app/models/refinery/blog/categorization.rb index 7ca9c77..b7dbcc8 100644 --- a/app/models/refinery/blog/categorization.rb +++ b/app/models/refinery/blog/categorization.rb @@ -6,7 +6,6 @@ module Refinery belongs_to :blog_post, :class_name => 'Refinery::Blog::Post', :foreign_key => :blog_post_id belongs_to :blog_category, :class_name => 'Refinery::Blog::Category', :foreign_key => :blog_category_id - attr_accessible :blog_category_id, :blog_post_id end end end diff --git a/app/models/refinery/blog/category.rb b/app/models/refinery/blog/category.rb index acab8bf..5cf4ea5 100644 --- a/app/models/refinery/blog/category.rb +++ b/app/models/refinery/blog/category.rb @@ -1,10 +1,10 @@ module Refinery module Blog class Category < ActiveRecord::Base + extend FriendlyId translates :title, :slug - extend FriendlyId friendly_id :title, :use => [:slugged, :globalize] has_many :categorizations, :dependent => :destroy, :foreign_key => :blog_category_id @@ -12,13 +12,6 @@ module Refinery validates :title, :presence => true, :uniqueness => true - attr_accessible :title - attr_accessor :locale - - class Translation - attr_accessible :locale - end - def self.translated with_translations(::Globalize.locale) end diff --git a/app/models/refinery/blog/comment.rb b/app/models/refinery/blog/comment.rb index ae35a59..be94238 100644 --- a/app/models/refinery/blog/comment.rb +++ b/app/models/refinery/blog/comment.rb @@ -2,8 +2,6 @@ module Refinery module Blog class Comment < ActiveRecord::Base - attr_accessible :name, :email, :message - filters_spam author_field: :name, email_field: :email, message_field: :body belongs_to :post, foreign_key: 'blog_post_id' diff --git a/app/models/refinery/blog/post.rb b/app/models/refinery/blog/post.rb index 1c2cf04..005ec29 100644 --- a/app/models/refinery/blog/post.rb +++ b/app/models/refinery/blog/post.rb @@ -4,51 +4,38 @@ require 'seo_meta' module Refinery module Blog class Post < ActiveRecord::Base + extend FriendlyId translates :title, :body, :custom_url, :custom_teaser, :slug, :include => :seo_meta - extend FriendlyId friendly_id :friendly_id_source, :use => [:slugged, :globalize] - is_seo_meta if self.table_exists? - - belongs_to :author, proc{ readonly(true) }, :class_name => Refinery::Blog.user_class.to_s, :foreign_key => :user_id + is_seo_meta - has_many :comments, :dependent => :destroy, :foreign_key => :blog_post_id acts_as_taggable + belongs_to :author, proc { readonly(true) }, :class_name => Refinery::Blog.user_class.to_s, :foreign_key => :user_id + has_many :comments, :dependent => :destroy, :foreign_key => :blog_post_id has_many :categorizations, :dependent => :destroy, :foreign_key => :blog_post_id has_many :categories, :through => :categorizations, :source => :blog_category validates :title, :presence => true, :uniqueness => true validates :body, :presence => true validates :published_at, :author, :presence => true - validates :source_url, :url => { :if => 'Refinery::Blog.validate_source_url', :update => true, :allow_nil => true, :allow_blank => true, :verify => [:resolve_redirects]} - attr_accessible :title, :body, :custom_teaser, :tag_list, :draft, :published_at, :custom_url, :author - attr_accessible :browser_title, :meta_description, :user_id, :category_ids - attr_accessible :source_url, :source_url_title - attr_accessor :locale - class Translation is_seo_meta - attr_accessible :browser_title, :meta_description, :locale end - # Delegate SEO Attributes to globalize3 translation + # Delegate SEO Attributes to globalize translation seo_fields = ::SeoMeta.attributes.keys.map{|a| [a, :"#{a}="]}.flatten delegate(*(seo_fields << {:to => :translation})) - before_save do |m| - m.translation.globalized_model = self - m.translation.save if m.translation.new_record? - end - self.per_page = Refinery::Blog.posts_per_page def next -- cgit v1.2.3