#472: Update Api::V1::UsersController

2015-05-21 00:03:08 +03:00 · 2015-05-21 00:03:08 +03:00 · d38bede620
parent 83981996cd
commit d38bede620
5 changed files with 52 additions and 16 deletions
--- a/app/controllers/api/v1/users_controller.rb
+++ b/app/controllers/api/v1/users_controller.rb
@ -16,7 +16,7 @@ class Api::V1::UsersController < Api::V1::BaseController
  def update
    user_params = params[:user] || {}
    send_confirmation = user_params[:email] != @user.email
-    if @user.update_without_password(user_params)
+    if @user.update_without_password(subject_params(User))
      if send_confirmation
        @user.confirmed_at, @user.confirmation_sent_at = nil
        @user.send_confirmation_instructions
@ -29,7 +29,7 @@ class Api::V1::UsersController < Api::V1::BaseController

  def notifiers
    if request.put?
-      if @user.notifier.update_attributes(params[:notifiers])
+      if @user.notifier.update_attributes(notifier_params)
        render_json_response @user, 'User notification settings have been updated successfully'
      else
        render_json_response @user, error_message(@user.notifier, 'User notification settings have not been updated'), 422
@ -39,6 +39,10 @@ class Api::V1::UsersController < Api::V1::BaseController

  protected

+  def notifier_params
+    permit_params(:notifiers, *policy(SettingsNotifier).permitted_attributes)
+  end
+
  def set_current_user
    authorize @user = current_user
  end
--- a/app/models/settings_notifier.rb
+++ b/app/models/settings_notifier.rb
@ -3,16 +3,4 @@ class SettingsNotifier < ActiveRecord::Base

  validates :user, presence: true

-  # attr_accessible :can_notify,
-  #                 :update_code,
-  #                 :new_comment_commit_owner,
-  #                 :new_comment_commit_repo_owner,
-  #                 :new_comment_commit_commentor,
-  #                 :new_comment,
-  #                 :new_comment_reply,
-  #                 :new_issue,
-  #                 :issue_assign,
-  #                 :new_build,
-  #                 :new_associated_build
-
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -56,8 +56,6 @@ class User < Avatar
  validates :role, inclusion: { in: EXTENDED_ROLES }, allow_blank: true
  validates :language, inclusion: { in: LANGUAGES }, allow_blank: true

-  # attr_accessible :email, :password, :password_confirmation, :current_password, :remember_me, :login, :name, :uname, :language,
-  #                 :site, :company, :professional_experience, :location, :sound_notifications, :hide_email, :delete_avatar
  attr_readonly :uname
  attr_accessor :login, :delete_avatar

--- a/app/policies/settings_notifier_policy.rb
+++ b/app/policies/settings_notifier_policy.rb
@ -0,0 +1,22 @@
+class SettingsNotifierPolicy < ApplicationPolicy
+
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(
+      can_notify
+      update_code
+      new_comment_commit_owner
+      new_comment_commit_repo_owner
+      new_comment_commit_commentor
+      new_comment
+      new_comment_reply
+      new_issue
+      issue_assign
+      new_build
+      new_associated_build
+    )
+  end
+
+end
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@ -11,6 +11,30 @@ class UserPolicy < ApplicationPolicy
  alias_method :show_current_user?, :update?
  alias_method :write?,             :update?

+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(
+      company
+      current_password
+      delete_avatar
+      email
+      hide_email
+      language
+      location
+      login
+      name
+      password
+      password_confirmation
+      professional_experience
+      remember_me
+      site
+      sound_notifications
+      uname
+    )
+  end
+
  class Scope < Scope
    def show
      scope