More robust implementation to prevent method injection attacks
This commit is contained in:
@@ -1,13 +1,21 @@
|
||||
class Events::DayTimeline::ColumnsController < ApplicationController
|
||||
include DayTimelinesScoped
|
||||
|
||||
before_action :ensure_valid_column
|
||||
before_action :set_column
|
||||
|
||||
def show
|
||||
@column = column_for_id(params[:id])
|
||||
fresh_when @day_timeline
|
||||
end
|
||||
|
||||
private
|
||||
def column_for_id(id)
|
||||
@day_timeline.try("#{id}_column") or head :not_found
|
||||
VALID_COLUMNS = %w[ added updated closed ]
|
||||
|
||||
def ensure_valid_column
|
||||
head :not_found unless VALID_COLUMNS.include?(params[:id])
|
||||
end
|
||||
|
||||
def set_column
|
||||
@column = @day_timeline.public_send("#{params[:id]}_column")
|
||||
end
|
||||
end
|
||||
|
||||
@@ -0,0 +1,30 @@
|
||||
require "test_helper"
|
||||
|
||||
class Events::DayTimeline::ColumnsControllerTest < ActionDispatch::IntegrationTest
|
||||
setup do
|
||||
sign_in_as :kevin
|
||||
end
|
||||
|
||||
test "show added column" do
|
||||
get events_day_timeline_column_path("added")
|
||||
assert_response :success
|
||||
assert_select "h1", text: /Added/
|
||||
end
|
||||
|
||||
test "show updated column" do
|
||||
get events_day_timeline_column_path("updated")
|
||||
assert_response :success
|
||||
assert_select "h1", text: /Updated/
|
||||
end
|
||||
|
||||
test "show closed column" do
|
||||
get events_day_timeline_column_path("closed")
|
||||
assert_response :success
|
||||
assert_select "h1", text: /Closed/
|
||||
end
|
||||
|
||||
test "show returns not found for invalid column" do
|
||||
get events_day_timeline_column_path("invalid")
|
||||
assert_response :not_found
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user