added strong params to comments_controller to prevent users from editing attributes which are not intended to be edited, also created specs to test this behaviour
This commit is contained in:
Janis4411
committed by
Sebastian Serth
Sebastian Serth
parent
b98c37ae64
commit
4615a49e62
@ -55,7 +55,7 @@ class CommentsController < ApplicationController
|
|||||||
|
|
||||||
# PATCH/PUT /comments/1.json
|
# PATCH/PUT /comments/1.json
|
||||||
def update
|
def update
|
||||||
if @comment.update(comment_params_without_request_id)
|
if @comment.update(comment_params_for_update)
|
||||||
render :show, status: :ok, location: @comment
|
render :show, status: :ok, location: @comment
|
||||||
else
|
else
|
||||||
render json: @comment.errors, status: :unprocessable_entity
|
render json: @comment.errors, status: :unprocessable_entity
|
||||||
@ -77,6 +77,10 @@ class CommentsController < ApplicationController
|
|||||||
@comment = Comment.find(params[:id])
|
@comment = Comment.find(params[:id])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def comment_params_for_update
|
||||||
|
params.require(:comment).permit(:text)
|
||||||
|
end
|
||||||
|
|
||||||
def comment_params_without_request_id
|
def comment_params_without_request_id
|
||||||
comment_params.except :request_id
|
comment_params.except :request_id
|
||||||
end
|
end
|
||||||
|
|||||||
42
spec/controllers/comments_controller_spec.rb
Normal file
42
spec/controllers/comments_controller_spec.rb
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
require 'rails_helper'
|
||||||
|
|
||||||
|
describe CommentsController do
|
||||||
|
let(:user) { create(:learner) }
|
||||||
|
let(:rfc_with_comment) { create(:rfc_with_comment, user: user) }
|
||||||
|
let(:comment) { rfc_with_comment.comments.first }
|
||||||
|
let(:updated_comment) { comment.reload }
|
||||||
|
let(:perform_request) { proc { put :update, format: :json, params: {id: comment.id, comment: comment_params} } }
|
||||||
|
|
||||||
|
before do
|
||||||
|
allow(controller).to receive(:current_user).and_return(user)
|
||||||
|
perform_request.call
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'PUT #update' do
|
||||||
|
context 'with valid params' do
|
||||||
|
let(:comment_params) { {text: 'test100'} }
|
||||||
|
|
||||||
|
it 'saves the permitted changes' do
|
||||||
|
expect(updated_comment.text).to eq('test100')
|
||||||
|
end
|
||||||
|
|
||||||
|
expect_http_status(:ok)
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with additional params' do
|
||||||
|
let(:comment_params) { {text: 'test100', row: 5, file_id: 50} }
|
||||||
|
|
||||||
|
it 'applies the permitted changes' do
|
||||||
|
expect(updated_comment.row).not_to eq(5)
|
||||||
|
expect(updated_comment.file_id).not_to eq(50)
|
||||||
|
expect(updated_comment.row).to eq(1)
|
||||||
|
expect(updated_comment.file_id).to eq(comment.file_id)
|
||||||
|
expect(updated_comment.text).to eq('test100')
|
||||||
|
end
|
||||||
|
|
||||||
|
expect_http_status(:ok)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
@ -13,7 +13,7 @@ FactoryBot.define do
|
|||||||
factory :rfc_with_comment, class: 'RequestForComment' do
|
factory :rfc_with_comment, class: 'RequestForComment' do
|
||||||
after(:create) do |rfc|
|
after(:create) do |rfc|
|
||||||
rfc.file = rfc.submission.files.first
|
rfc.file = rfc.submission.files.first
|
||||||
Comment.create(file: rfc.file, user: rfc.user, text: "comment for rfc #{rfc.question}")
|
Comment.create(file: rfc.file, user: rfc.user, row: 1, text: "comment for rfc #{rfc.question}")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|||||||
Reference in New Issue
Block a user