a52b6f1c87
* Add explicit wrap_parameters to controllers for flat JSON API support Virtual attributes (has_rich_text, has_one_attached, delegated setters, ActiveModel attrs) are not in Model.attribute_names, so wrap_parameters auto-detection silently drops them from flat JSON requests. Add explicit include: lists matching each controller's permitted params. * Convert short-form wrap_parameters to explicit include: lists Defense-in-depth: these controllers only have real-column params today, so auto-detection works, but explicit lists prevent future regressions if virtual attributes are added. * Add flat JSON param tests for all wrap_parameters controllers 17 new tests covering every controller with wrap_parameters, verifying that flat (unwrapped) JSON payloads are correctly wrapped and processed. Focuses on virtual attributes that would be silently dropped without explicit include: lists.
29 lines
704 B
Ruby
29 lines
704 B
Ruby
class Users::RolesController < ApplicationController
|
|
wrap_parameters :user, include: %i[ role ]
|
|
|
|
before_action :set_user
|
|
before_action :ensure_permission_to_administer_user
|
|
|
|
def update
|
|
@user.update!(role_params)
|
|
|
|
respond_to do |format|
|
|
format.html { redirect_to account_settings_path }
|
|
format.json { head :no_content }
|
|
end
|
|
end
|
|
|
|
private
|
|
def set_user
|
|
@user = Current.account.users.active.find(params[:user_id])
|
|
end
|
|
|
|
def ensure_permission_to_administer_user
|
|
head :forbidden unless Current.user.can_administer?(@user)
|
|
end
|
|
|
|
def role_params
|
|
{ role: params.require(:user)[:role].presence_in(%w[ member admin ]) || "member" }
|
|
end
|
|
end
|