From 4a70b795e5feccfa5981567129eaef6507dd5542 Mon Sep 17 00:00:00 2001 From: Mark Moser Date: Wed, 21 Sep 2016 15:50:02 -0500 Subject: [PATCH] policy strong_params --- app/controllers/admin/profile_controller.rb | 2 +- app/controllers/admin/user_controller.rb | 2 +- app/policies/user_policy.rb | 5 +++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/app/controllers/admin/profile_controller.rb b/app/controllers/admin/profile_controller.rb index ef118f7..b176ac2 100644 --- a/app/controllers/admin/profile_controller.rb +++ b/app/controllers/admin/profile_controller.rb @@ -26,7 +26,7 @@ module Admin private def user_params - params.require(:user).permit(:name, :email, :password, :password_confirmation) + params.require(:user).permit(policy(User).permitted_attributes) end end end diff --git a/app/controllers/admin/user_controller.rb b/app/controllers/admin/user_controller.rb index 3b37e55..d8ab69a 100644 --- a/app/controllers/admin/user_controller.rb +++ b/app/controllers/admin/user_controller.rb @@ -50,7 +50,7 @@ module Admin private def user_params - params.require(:user).permit(:name, :email, :role, :password, quiz_ids: []) + params.require(:user).permit(policy(User).permitted_attributes) end end end diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index dad8c7f..5a1140e 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -17,6 +17,11 @@ class UserPolicy < ApplicationPolicy user.admin? || user == record end + def permitted_attributes + return [:name, :email, :role, :password, quiz_ids: []] if user.admin? + [:name, :email, :password, :password_confirmation] + end + class Scope < Scope def resolve return scope if user.admin?