a52b6f1c87
* Add explicit wrap_parameters to controllers for flat JSON API support Virtual attributes (has_rich_text, has_one_attached, delegated setters, ActiveModel attrs) are not in Model.attribute_names, so wrap_parameters auto-detection silently drops them from flat JSON requests. Add explicit include: lists matching each controller's permitted params. * Convert short-form wrap_parameters to explicit include: lists Defense-in-depth: these controllers only have real-column params today, so auto-detection works, but explicit lists prevent future regressions if virtual attributes are added. * Add flat JSON param tests for all wrap_parameters controllers 17 new tests covering every controller with wrap_parameters, verifying that flat (unwrapped) JSON payloads are correctly wrapped and processed. Focuses on virtual attributes that would be silently dropped without explicit include: lists.
38 lines
940 B
Ruby
38 lines
940 B
Ruby
class SignupsController < ApplicationController
|
|
wrap_parameters :signup, include: %i[ email_address ]
|
|
|
|
disallow_account_scope
|
|
allow_unauthenticated_access
|
|
rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_signup_path, alert: "Try again later." }
|
|
before_action :redirect_authenticated_user
|
|
before_action :enforce_tenant_limit
|
|
|
|
layout "public"
|
|
|
|
def new
|
|
@signup = Signup.new
|
|
end
|
|
|
|
def create
|
|
signup = Signup.new(signup_params)
|
|
if signup.valid?(:identity_creation)
|
|
redirect_to_session_magic_link signup.create_identity
|
|
else
|
|
head :unprocessable_entity
|
|
end
|
|
end
|
|
|
|
private
|
|
def redirect_authenticated_user
|
|
redirect_to new_signup_completion_path if authenticated?
|
|
end
|
|
|
|
def enforce_tenant_limit
|
|
redirect_to new_session_url unless Account.accepting_signups?
|
|
end
|
|
|
|
def signup_params
|
|
params.expect signup: :email_address
|
|
end
|
|
end
|