Secure product_categories and add example test for other supplier resources and fix hack attempts included in test

2012-12-06 12:21:38 +01:00
parent 382f91b1d6
commit 180b6deb4d
8 changed files with 207 additions and 8 deletions
@@ -15,7 +15,7 @@ module Suppliers
    # GET /product_categories/1
    # GET /product_categories/1.json
    def show
-      @product_category = ProductCategory.find(params[:id])
+      @product_category = ProductCategory.find_by_supplier_id_and_id!(current_supplier.id, params[:id])

      respond_to do |format|
        format.html # show.html.erb
@@ -59,7 +59,7 @@ module Suppliers
    # PUT /product_categories/1
    # PUT /product_categories/1.json
    def update
-      @product_category = ProductCategory.find(params[:id])
+      @product_category = ProductCategory.find_by_supplier_id_and_id!(current_supplier.id, params[:id])

      respond_to do |format|
        if @product_category.update_attributes(params[:product_category])
@@ -75,7 +75,7 @@ module Suppliers
    # DELETE /product_categories/1
    # DELETE /product_categories/1.json
    def destroy
-      @product_category = ProductCategory.find(params[:id])
+      @product_category = ProductCategory.find_by_supplier_id_and_id!(current_supplier.id, params[:id])
      @product_category.destroy

      respond_to do |format|
@@ -87,7 +87,7 @@ module Suppliers
    # POST /supplier/product_categories/sort
    #   params ~= product_category: ['abc', 'def', 'another id', ...]
    def sort
-      @product_categories = ProductCategory.find(params[:product_category])
+      @product_categories = ProductCategory.find(params[:product_category]).select{|pc| pc.supplier_id == current_supplier.id} # The select is hack prevention
      1.upto(@product_categories.size){|i| @product_categories[i-1].position = i}
      CouchPotato.database.couchrest_database.bulk_save(@product_categories)
      render nothing: true