Files
fizzy/app/controllers/users/roles_controller.rb
T
Jeremy Daer a52b6f1c87 Add explicit wrap_parameters to all controllers (#2680)
* Add explicit wrap_parameters to controllers for flat JSON API support

Virtual attributes (has_rich_text, has_one_attached, delegated setters,
ActiveModel attrs) are not in Model.attribute_names, so wrap_parameters
auto-detection silently drops them from flat JSON requests. Add explicit
include: lists matching each controller's permitted params.

* Convert short-form wrap_parameters to explicit include: lists

Defense-in-depth: these controllers only have real-column params today,
so auto-detection works, but explicit lists prevent future regressions
if virtual attributes are added.

* Add flat JSON param tests for all wrap_parameters controllers

17 new tests covering every controller with wrap_parameters, verifying
that flat (unwrapped) JSON payloads are correctly wrapped and processed.
Focuses on virtual attributes that would be silently dropped without
explicit include: lists.
2026-03-09 21:47:05 -07:00

29 lines
704 B
Ruby

class Users::RolesController < ApplicationController
wrap_parameters :user, include: %i[ role ]
before_action :set_user
before_action :ensure_permission_to_administer_user
def update
@user.update!(role_params)
respond_to do |format|
format.html { redirect_to account_settings_path }
format.json { head :no_content }
end
end
private
def set_user
@user = Current.account.users.active.find(params[:user_id])
end
def ensure_permission_to_administer_user
head :forbidden unless Current.user.can_administer?(@user)
end
def role_params
{ role: params.require(:user)[:role].presence_in(%w[ member admin ]) || "member" }
end
end