htwkmooc/codeocean
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cleanup of passed parameters, user_id and user_type are extracted from current user and not used from the passed POST values..

Browse Source
This commit is contained in:
Ralf Teusner
2015-08-19 15:35:25 +02:00
parent e520914385
commit dc0b3a2294
3 changed files with 3 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/comments_controller.rb
View File

@ -75,7 +75,7 @@ class CommentsController < ApplicationController
# POST /comments
# POST /comments.json
def create
@comment = Comment.new(comment_params.merge(user_type: current_user.class.name))
@comment = Comment.new(comment_params)
respond_to do |format|
if @comment.save
@ -135,6 +135,6 @@ class CommentsController < ApplicationController
def comment_params
#params.require(:comment).permit(:user_id, :file_id, :row, :column, :text)
# fuer production mode, damit böse menschen keine falsche user_id uebergeben:
params.require(:comment).permit(:file_id, :row, :column, :text).merge(user_id: current_user.id)
params.require(:comment).permit(:file_id, :row, :column, :text).merge(user_id: current_user.id, user_type: current_user.class.name)
end
end