From 4615a49e6210000153bfc85d24768871142476e7 Mon Sep 17 00:00:00 2001
From: Janis4411 <janis.vaneylen@gmail.com>
Date: Thu, 4 Aug 2022 17:16:54 +0200
Subject: [PATCH] added strong params to comments_controller to prevent users
 from editing attributes which are not intended to be edited, also created
 specs to test this behaviour

---
 app/controllers/comments_controller.rb       |  6 ++-
 spec/controllers/comments_controller_spec.rb | 42 ++++++++++++++++++++
 spec/factories/request_for_comment.rb        |  2 +-
 3 files changed, 48 insertions(+), 2 deletions(-)
 create mode 100644 spec/controllers/comments_controller_spec.rb

diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index 367d9f1d..8a2a270c 100644
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -55,7 +55,7 @@ class CommentsController < ApplicationController
 
   # PATCH/PUT /comments/1.json
   def update
-    if @comment.update(comment_params_without_request_id)
+    if @comment.update(comment_params_for_update)
       render :show, status: :ok, location: @comment
     else
       render json: @comment.errors, status: :unprocessable_entity
@@ -77,6 +77,10 @@ class CommentsController < ApplicationController
     @comment = Comment.find(params[:id])
   end
 
+  def comment_params_for_update
+    params.require(:comment).permit(:text)
+  end
+
   def comment_params_without_request_id
     comment_params.except :request_id
   end
diff --git a/spec/controllers/comments_controller_spec.rb b/spec/controllers/comments_controller_spec.rb
new file mode 100644
index 00000000..3511a538
--- /dev/null
+++ b/spec/controllers/comments_controller_spec.rb
@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe CommentsController do
+  let(:user) { create(:learner) }
+  let(:rfc_with_comment) { create(:rfc_with_comment, user: user) }
+  let(:comment) { rfc_with_comment.comments.first }
+  let(:updated_comment) { comment.reload }
+  let(:perform_request) { proc { put :update, format: :json, params: {id: comment.id, comment: comment_params} } }
+
+  before do
+    allow(controller).to receive(:current_user).and_return(user)
+    perform_request.call
+  end
+
+  describe 'PUT #update' do
+    context 'with valid params' do
+      let(:comment_params) { {text: 'test100'} }
+
+      it 'saves the permitted changes' do
+        expect(updated_comment.text).to eq('test100')
+      end
+
+      expect_http_status(:ok)
+    end
+
+    context 'with additional params' do
+      let(:comment_params) { {text: 'test100', row: 5, file_id: 50} }
+
+      it 'applies the permitted changes' do
+        expect(updated_comment.row).not_to eq(5)
+        expect(updated_comment.file_id).not_to eq(50)
+        expect(updated_comment.row).to eq(1)
+        expect(updated_comment.file_id).to eq(comment.file_id)
+        expect(updated_comment.text).to eq('test100')
+      end
+
+      expect_http_status(:ok)
+    end
+  end
+end
diff --git a/spec/factories/request_for_comment.rb b/spec/factories/request_for_comment.rb
index 169632a5..6b22cb58 100644
--- a/spec/factories/request_for_comment.rb
+++ b/spec/factories/request_for_comment.rb
@@ -13,7 +13,7 @@ FactoryBot.define do
     factory :rfc_with_comment, class: 'RequestForComment' do
       after(:create) do |rfc|
         rfc.file = rfc.submission.files.first
-        Comment.create(file: rfc.file, user: rfc.user, text: "comment for rfc #{rfc.question}")
+        Comment.create(file: rfc.file, user: rfc.user, row: 1, text: "comment for rfc #{rfc.question}")
       end
     end
   end