Files
fizzy/app/controllers/boards_controller.rb
Jeremy Daer a52b6f1c87 Add explicit wrap_parameters to all controllers (#2680)
* Add explicit wrap_parameters to controllers for flat JSON API support

Virtual attributes (has_rich_text, has_one_attached, delegated setters,
ActiveModel attrs) are not in Model.attribute_names, so wrap_parameters
auto-detection silently drops them from flat JSON requests. Add explicit
include: lists matching each controller's permitted params.

* Convert short-form wrap_parameters to explicit include: lists

Defense-in-depth: these controllers only have real-column params today,
so auto-detection works, but explicit lists prevent future regressions
if virtual attributes are added.

* Add flat JSON param tests for all wrap_parameters controllers

17 new tests covering every controller with wrap_parameters, verifying
that flat (unwrapped) JSON payloads are correctly wrapped and processed.
Focuses on virtual attributes that would be silently dropped without
explicit include: lists.
2026-03-09 21:47:05 -07:00

108 lines
2.7 KiB
Ruby

class BoardsController < ApplicationController
wrap_parameters :board, include: %i[ name all_access auto_postpone_period_in_days public_description ]
include FilterScoped
before_action :set_board, except: %i[ index new create ]
before_action :ensure_permission_to_admin_board, only: %i[ update destroy ]
def index
set_page_and_extract_portion_from Current.user.boards.ordered_by_recently_accessed.includes(creator: :identity)
fresh_when etag: @page.records
end
def show
if @filter.used?(ignore_boards: true)
show_filtered_cards
else
show_columns
end
end
def new
@board = Board.new
end
def create
@board = Board.create! board_params.with_defaults(all_access: true)
respond_to do |format|
format.html { redirect_to board_path(@board) }
format.json { render :show, status: :created, location: board_path(@board, format: :json) }
end
end
def edit
selected_user_ids = @board.users.ids
@selected_users, @unselected_users = \
@board.account.users.active.alphabetically.includes(:identity).partition { |user| selected_user_ids.include? user.id }
end
def update
@board.update! board_params
@board.accesses.revise granted: grantees, revoked: revokees if grantees_changed?
respond_to do |format|
format.html do
if @board.accessible_to?(Current.user)
redirect_to edit_board_path(@board), notice: "Saved"
else
redirect_to root_path, notice: "Saved (you were removed from the board)"
end
end
format.json { head :no_content }
end
end
def destroy
@board.destroy
respond_to do |format|
format.html { redirect_to root_path }
format.json { head :no_content }
end
end
private
def set_board
@board = Current.user.boards.find params[:id]
end
def ensure_permission_to_admin_board
unless Current.user.can_administer_board?(@board)
head :forbidden
end
end
def grantees_changed?
params.key?(:user_ids)
end
def show_filtered_cards
@filter.board_ids = [ @board.id ]
set_page_and_extract_portion_from @filter.cards
end
def show_columns
cards = @board.cards.awaiting_triage.latest.with_golden_first.preloaded
set_page_and_extract_portion_from cards
fresh_when etag: [ @board, @page.records, @user_filtering, Current.account ]
end
def board_params
params.expect(board: [ :name, :all_access, :auto_postpone_period_in_days, :public_description ])
end
def grantees
@board.account.users.active.where id: grantee_ids
end
def revokees
@board.users.where.not id: grantee_ids
end
def grantee_ids
params.fetch :user_ids, []
end
end