From 592aa6505427225721ecc5b4bf785a674f7f393e Mon Sep 17 00:00:00 2001
From: Benjamin ter Kuile <bterkuile@gmail.com>
Date: Sun, 22 Dec 2013 16:04:42 +0100
Subject: [PATCH] whitelist table and section params on json call

---
 app/controllers/suppliers/sections_controller.rb | 8 +++++++-
 app/controllers/suppliers/tables_controller.rb   | 8 +++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/app/controllers/suppliers/sections_controller.rb b/app/controllers/suppliers/sections_controller.rb
index ecdd1344..b464daed 100644
--- a/app/controllers/suppliers/sections_controller.rb
+++ b/app/controllers/suppliers/sections_controller.rb
@@ -162,7 +162,13 @@ module Suppliers
     private
 
     def section_params
-      params.require(:section).permit(:title, :path, :width, :height)
+      permitted_attributes = [:title, :path, :width, :height]
+      # do not raise in development and test for json communication
+      if request.format.json?
+        params.require(:section).slice(*permitted_attributes).permit!
+      else
+        params.require(:section).permit permitted_attributes
+      end
     end
   end
 end
diff --git a/app/controllers/suppliers/tables_controller.rb b/app/controllers/suppliers/tables_controller.rb
index ec184861..0a283f08 100644
--- a/app/controllers/suppliers/tables_controller.rb
+++ b/app/controllers/suppliers/tables_controller.rb
@@ -96,7 +96,13 @@ module Suppliers
     private
 
     def table_params
-      params.require(:table).permit(:number, :section_id, :position_x, :position_y)
+      permitted_attributes = [:number, :section_id, :position_x, :position_y]
+      # do not raise in development and test for json communication
+      if request.format.json?
+        params.require(:table).slice(*permitted_attributes).permit!
+      else
+        params.require(:table).permit permitted_attributes
+      end
     end
   end
 end