bterkuile/mozo-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Secure product_categories and add example test for other supplier resources and fix hack attempts included in test

Browse Source
This commit is contained in:
Benjamin ter Kuile
2012-12-06 12:21:38 +01:00
parent 382f91b1d6
commit 180b6deb4d
8 changed files with 207 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/application_controller.rb
+5 -2
View File
@@ -1,10 +1,9 @@
class ApplicationController < ActionController::Base
before_filter :set_locale
layout :layout_by_resource
protect_from_forgery
rescue_from SimplyStored::RecordNotFound, with: :show_404
private
def broadcast_user(uid, event, data = {})
@@ -62,4 +61,8 @@ private
"http://#{Rails.env.production? ? 'events.qwaiter.com' : 'localhost'}:9296/faye"
end
helper_method :event_host
def show_404
render 'dashboard/404', layout: true, status: 404
end
end
app/controllers/suppliers/product_categories_controller.rb
+4 -4
View File
@@ -15,7 +15,7 @@ module Suppliers
# GET /product_categories/1
# GET /product_categories/1.json
def show
@product_category = ProductCategory.find(params[:id])
@product_category = ProductCategory.find_by_supplier_id_and_id!(current_supplier.id, params[:id])
respond_to do |format|
format.html # show.html.erb
@@ -59,7 +59,7 @@ module Suppliers
# PUT /product_categories/1
# PUT /product_categories/1.json
def update
@product_category = ProductCategory.find(params[:id])
@product_category = ProductCategory.find_by_supplier_id_and_id!(current_supplier.id, params[:id])
respond_to do |format|
if @product_category.update_attributes(params[:product_category])
@@ -75,7 +75,7 @@ module Suppliers
# DELETE /product_categories/1
# DELETE /product_categories/1.json
def destroy
@product_category = ProductCategory.find(params[:id])
@product_category = ProductCategory.find_by_supplier_id_and_id!(current_supplier.id, params[:id])
@product_category.destroy
respond_to do |format|
@@ -87,7 +87,7 @@ module Suppliers
# POST /supplier/product_categories/sort
# params ~= product_category: ['abc', 'def', 'another id', ...]
def sort
@product_categories = ProductCategory.find(params[:product_category])
@product_categories = ProductCategory.find(params[:product_category]).select{|pc| pc.supplier_id == current_supplier.id} # The select is hack prevention
1.upto(@product_categories.size){|i| @product_categories[i-1].position = i}
CouchPotato.database.couchrest_database.bulk_save(@product_categories)
render nothing: true