Files
fizzy/app/controllers/cards/comments/reactions_controller.rb
T
Jeremy Daer a52b6f1c87 Add explicit wrap_parameters to all controllers (#2680)
* Add explicit wrap_parameters to controllers for flat JSON API support

Virtual attributes (has_rich_text, has_one_attached, delegated setters,
ActiveModel attrs) are not in Model.attribute_names, so wrap_parameters
auto-detection silently drops them from flat JSON requests. Add explicit
include: lists matching each controller's permitted params.

* Convert short-form wrap_parameters to explicit include: lists

Defense-in-depth: these controllers only have real-column params today,
so auto-detection works, but explicit lists prevent future regressions
if virtual attributes are added.

* Add flat JSON param tests for all wrap_parameters controllers

17 new tests covering every controller with wrap_parameters, verifying
that flat (unwrapped) JSON payloads are correctly wrapped and processed.
Focuses on virtual attributes that would be silently dropped without
explicit include: lists.
2026-03-09 21:47:05 -07:00

57 lines
1.2 KiB
Ruby

class Cards::Comments::ReactionsController < ApplicationController
wrap_parameters :reaction, include: %i[ content ]
include CardScoped
before_action :set_comment
before_action :set_reactable
with_options only: :destroy do
before_action :set_reaction
before_action :ensure_permission_to_administer_reaction
end
def index
render "reactions/index"
end
def new
render "reactions/new"
end
def create
@reaction = @reactable.reactions.create!(params.expect(reaction: :content))
respond_to do |format|
format.turbo_stream { render "reactions/create" }
format.json { render "reactions/show", status: :created }
end
end
def destroy
@reaction.destroy
respond_to do |format|
format.turbo_stream { render "reactions/destroy" }
format.json { head :no_content }
end
end
private
def set_comment
@comment = @card.comments.find(params[:comment_id])
end
def set_reactable
@reactable = @comment
end
def set_reaction
@reaction = @reactable.reactions.find(params[:id])
end
def ensure_permission_to_administer_reaction
head :forbidden if Current.user != @reaction.reacter
end
end