Files
fizzy/app/controllers/my/access_tokens_controller.rb
T
Jeremy Daer a52b6f1c87 Add explicit wrap_parameters to all controllers (#2680)
* Add explicit wrap_parameters to controllers for flat JSON API support

Virtual attributes (has_rich_text, has_one_attached, delegated setters,
ActiveModel attrs) are not in Model.attribute_names, so wrap_parameters
auto-detection silently drops them from flat JSON requests. Add explicit
include: lists matching each controller's permitted params.

* Convert short-form wrap_parameters to explicit include: lists

Defense-in-depth: these controllers only have real-column params today,
so auto-detection works, but explicit lists prevent future regressions
if virtual attributes are added.

* Add flat JSON param tests for all wrap_parameters controllers

17 new tests covering every controller with wrap_parameters, verifying
that flat (unwrapped) JSON payloads are correctly wrapped and processed.
Focuses on virtual attributes that would be silently dropped without
explicit include: lists.
2026-03-09 21:47:05 -07:00

59 lines
1.5 KiB
Ruby

class My::AccessTokensController < ApplicationController
wrap_parameters :access_token, include: %i[ description permission ]
skip_before_action :require_account
def index
@access_tokens = my_access_tokens.order(created_at: :desc)
end
def show
@access_token = my_access_tokens.find(verifier.verify(params[:id]))
rescue ActiveSupport::MessageVerifier::InvalidSignature
redirect_to my_access_tokens_path, alert: "Token is no longer visible"
end
def new
@access_token = my_access_tokens.new
end
def create
access_token = my_access_tokens.create!(access_token_params)
respond_to do |format|
format.html do
expiring_id = verifier.generate access_token.id, expires_in: 10.seconds
redirect_to my_access_token_path(expiring_id)
end
format.json do
render status: :created, json: \
{ id: access_token.id, token: access_token.token, description: access_token.description,
permission: access_token.permission, created_at: access_token.created_at.utc }
end
end
end
def destroy
my_access_tokens.find(params[:id]).destroy!
respond_to do |format|
format.html { redirect_to my_access_tokens_path }
format.json { head :no_content }
end
end
private
def my_access_tokens
Current.identity.access_tokens
end
def access_token_params
params.expect(access_token: %i[ description permission ])
end
def verifier
Rails.application.message_verifier(:access_tokens)
end
end