Address mass-assignment in controllers

Two instances where we were `permit!`-ing all params, and really didn't need to.
umts · Feb 12, 2025 · c07d402 · c07d402
1 parent 9e4ef69
commit c07d402
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/app/controllers/bus_stops_controller.rb b/app/controllers/bus_stops_controller.rb
@@ -139,7 +139,7 @@ def search_for_stop
   end
 
   def stop_params
-    # no attributes that people aren't supposed to be able to edit
-    params.require(:bus_stop).permit!
+    fields = BusStop::Options::COMBINED.values.flat_map(&:keys)
+    params.require(:bus_stop).permit(:garage_responsible, :state_road, :needs_work, :completed, *fields)
   end
 end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -46,11 +46,11 @@ def find_user
   end
 
   def user_params
-    attrs = params.require(:user).permit!
-    if attrs[:password].blank?
-      attrs.delete :password
-      attrs.delete :password_confirmation
+    params.require(:user).permit(:name, :email, :password, :password_confirmation, :admin).tap do |p|
+      if p[:password].blank?
+        p.delete :password
+        p.delete :password_confirmation
+      end
     end
-    attrs
   end
 end