-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathtest.rb
More file actions
56 lines (49 loc) · 1.62 KB
/
test.rb
File metadata and controls
56 lines (49 loc) · 1.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
class User < ApplicationRecord
end
class UserController < ActionController::Base
def create
# BAD: arbitrary params are permitted to be used for this assignment
User.new(user_params).save!
end
def create2
# GOOD: the permitted parameters are explicitly specified
User.new(params[:user].permit(:name,:address))
end
def create3
# each BAD
User.build(user_params)
User.create(user_params)
User.create!(user_params)
User.insert(user_params)
User.insert!(user_params)
User.insert_all([user_params])
User.insert_all!([user_params])
User.update(user_params)
User.update(7, user_params)
User.update!(user_params)
User.update!(7, user_params)
User.upsert(user_params)
User.upsert([user_params])
User.find_or_create_by(user_params)
User.find_or_create_by!(user_params)
User.find_or_initialize_by(user_params)
User.create_or_find_by(user_params)
User.create_or_find_by!(user_params)
User.create_with(user_params)
user = User.where(name:"abc")
user.update(user_params)
end
def user_params
params.require(:user).permit!
end
def create4
x = params[:user]
x.permit!
User.new(x) # BAD
User.new(x.permit(:name,:address)) # GOOD
User.new(params.permit(user: {})) # BAD
User.new(params.permit(user: [:name, :address, {friends:{}}])) # BAD
User.new(params.to_unsafe_h) # BAD
User.new(params.permit(user: [:name, :address]).to_unsafe_h) # GOOD
end
end