Strong parameters for WorkSearch. (otwcode#2848)

cesy · Apr 9, 2017 · d9b66fe · d9b66fe
1 parent e3bb1e1
commit d9b66fe
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 12 deletions.
diff --git a/app/controllers/works_controller.rb b/app/controllers/works_controller.rb
@@ -72,7 +72,7 @@ def clean_work_search_params
 
   def search
     @languages = Language.default_order
-    options = params[:work_search] || {}
+    options = params[:work_search].present? ? work_search_params : {}
     options[:page] = params[:page] if params[:page].present?
     options[:show_restricted] = current_user.present? || logged_in_as_admin?
     @search = WorkSearch.new(options)
@@ -90,11 +90,7 @@ def search
 
   # GET /works
   def index
-    options = if params[:work_search].present?
-                params[:work_search].dup
-              else
-                {}
-              end
+    options = params[:work_search].present? ? work_search_params : {}
 
     if params[:fandom_id] || (@collection.present? && @tag.present?)
       if params[:fandom_id].present?
@@ -158,12 +154,7 @@ def index
   end
 
   def collected
-    options = if params[:work_search].present?
-                params[:work_search].dup
-              else
-                {}
-              end
-
+    options = params[:work_search].present? ? work_search_params : {}
     options[:page] = params[:page]
     options[:show_restricted] = current_user.present? || logged_in_as_admin?
 
@@ -1088,4 +1079,39 @@ def work_params
       ],
     )
   end
+
+  def work_search_params
+    params.require(:work_search).permit(
+      :query,
+      :title,
+      :creator,
+      :revised_at,
+      :complete,
+      :single_chapter,
+      :word_count,
+      :language_id,
+      :fandom_names,
+      :rating_ids,
+      :character_names,
+      :relationship_names,
+      :freeform_names,
+      :hits,
+      :kudos_count,
+      :comments_count,
+      :bookmarks_count,
+      :sort_column,
+      :sort_direction,
+      :other_tag_names,
+
+      warning_ids: [],
+      category_ids: [],
+      rating_ids: [],
+      fandom_ids: [],
+      character_ids: [],
+      relationship_ids: [],
+      freeform_ids: [],
+
+      collection_ids: []
+    )
+  end
 end
diff --git a/app/models/work_search.rb b/app/models/work_search.rb
@@ -1,4 +1,5 @@
 class WorkSearch < Search
+  include ActiveModel::ForbiddenAttributesProtection
 
   serialized_options :query, 
     :title,