Add explicit wrap_parameters to all controllers (#2680)
* Add explicit wrap_parameters to controllers for flat JSON API support Virtual attributes (has_rich_text, has_one_attached, delegated setters, ActiveModel attrs) are not in Model.attribute_names, so wrap_parameters auto-detection silently drops them from flat JSON requests. Add explicit include: lists matching each controller's permitted params. * Convert short-form wrap_parameters to explicit include: lists Defense-in-depth: these controllers only have real-column params today, so auto-detection works, but explicit lists prevent future regressions if virtual attributes are added. * Add flat JSON param tests for all wrap_parameters controllers 17 new tests covering every controller with wrap_parameters, verifying that flat (unwrapped) JSON payloads are correctly wrapped and processed. Focuses on virtual attributes that would be silently dropped without explicit include: lists.
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
class Account::JoinCodesController < ApplicationController
|
||||
wrap_parameters :account_join_code
|
||||
wrap_parameters :account_join_code, include: %i[ usage_limit ]
|
||||
|
||||
before_action :set_join_code
|
||||
before_action :ensure_admin, only: %i[ update destroy ]
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
class Account::SettingsController < ApplicationController
|
||||
wrap_parameters :account
|
||||
wrap_parameters :account, include: %i[ name ]
|
||||
|
||||
before_action :ensure_admin, only: :update
|
||||
before_action :set_account
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
class Boards::ColumnsController < ApplicationController
|
||||
wrap_parameters :column, include: %i[ name color ]
|
||||
|
||||
include BoardScoped
|
||||
|
||||
before_action :set_column, only: %i[ show update destroy ]
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
class BoardsController < ApplicationController
|
||||
wrap_parameters :board, include: %i[ name all_access auto_postpone_period_in_days public_description ]
|
||||
|
||||
include FilterScoped
|
||||
|
||||
before_action :set_board, except: %i[ index new create ]
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
class Cards::Comments::ReactionsController < ApplicationController
|
||||
wrap_parameters :reaction, include: %i[ content ]
|
||||
|
||||
include CardScoped
|
||||
|
||||
before_action :set_comment
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
class Cards::ReactionsController < ApplicationController
|
||||
wrap_parameters :reaction, include: %i[ content ]
|
||||
|
||||
include CardScoped
|
||||
|
||||
before_action :set_reactable
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
class Cards::StepsController < ApplicationController
|
||||
wrap_parameters :step, include: %i[ content completed ]
|
||||
|
||||
include CardScoped
|
||||
|
||||
before_action :set_step, only: %i[ show edit update destroy ]
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
class CardsController < ApplicationController
|
||||
wrap_parameters :card, include: %i[ title description image created_at last_active_at ]
|
||||
|
||||
include FilterScoped
|
||||
|
||||
before_action :set_board, only: %i[ create ]
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
class My::AccessTokensController < ApplicationController
|
||||
wrap_parameters :access_token, include: %i[ description permission ]
|
||||
|
||||
skip_before_action :require_account
|
||||
|
||||
def index
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
class Notifications::SettingsController < ApplicationController
|
||||
wrap_parameters :user_settings
|
||||
wrap_parameters :user_settings, include: %i[ bundle_email_frequency ]
|
||||
|
||||
before_action :set_settings
|
||||
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
class Signups::CompletionsController < ApplicationController
|
||||
wrap_parameters :signup, include: %i[ full_name ]
|
||||
|
||||
layout "public"
|
||||
|
||||
disallow_account_scope
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
class SignupsController < ApplicationController
|
||||
wrap_parameters :signup, include: %i[ email_address ]
|
||||
|
||||
disallow_account_scope
|
||||
allow_unauthenticated_access
|
||||
rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_signup_path, alert: "Try again later." }
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
class Users::JoinsController < ApplicationController
|
||||
wrap_parameters :user, include: %i[ name avatar ]
|
||||
|
||||
layout "public"
|
||||
|
||||
def new
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
class Users::PushSubscriptionsController < ApplicationController
|
||||
wrap_parameters :push_subscription, include: %i[ endpoint p256dh_key auth_key ]
|
||||
|
||||
before_action :set_push_subscriptions
|
||||
|
||||
def index
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
class Users::RolesController < ApplicationController
|
||||
wrap_parameters :user
|
||||
wrap_parameters :user, include: %i[ role ]
|
||||
|
||||
before_action :set_user
|
||||
before_action :ensure_permission_to_administer_user
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
class UsersController < ApplicationController
|
||||
wrap_parameters :user, include: %i[ name avatar ]
|
||||
|
||||
before_action :set_user, except: %i[ index ]
|
||||
before_action :ensure_permission_to_change_user, only: %i[ update destroy ]
|
||||
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
class WebhooksController < ApplicationController
|
||||
wrap_parameters :webhook, include: %i[ name url subscribed_actions ]
|
||||
|
||||
include BoardScoped
|
||||
|
||||
before_action :ensure_admin
|
||||
|
||||
Reference in New Issue
Block a user