Merge a46117f into 4184c78

Gemfile

@@ -66,7 +66,6 @@ gem 'recaptcha', require: 'recaptcha/rails' # Captcha Gem
 
 # ---------- Controller ----------
 
-gem 'arcane' # Parameter management for strong_parameters
 gem 'canonical-rails' # canonical view links
 gem 'devise', '~> 3.5.10' # authentication
 gem 'pundit' # authorization

Gemfile.lock

@@ -70,9 +70,6 @@ GEM
       nokogiri
     amoeba (3.0.0)
       activerecord (>= 3.2.6)
-    arcane (1.1.1)
-      actionpack (>= 3.0.0, < 5.0.0)
-      activesupport (>= 3.0.0, < 5.0.0)
     arel (5.0.1.20140414130214)
     ast (2.0.0)
     astrolabe (1.3.0)
@@ -692,7 +689,6 @@ DEPENDENCIES
   active_data
   activerecord-session_store
   amoeba
-  arcane
   awesome_nested_set (>= 3.0.0.rc.4)
   better_errors
   binding_of_caller

app/controllers/addresses_controller.rb

@@ -3,6 +3,8 @@
 #   See the COPYRIGHT file for details.
 
 class AddressesController < ApplicationController
+  include AddressParams
+
   respond_to :html, only: [:edit, :new]
   respond_to :js, if: lambda { request.xhr? }
   before_action :set_address, except: [:new, :create]
@@ -14,7 +16,7 @@ def new
   end
 
   def create
-    @address = current_user.addresses.build(params.for(Address).refine)
+    @address = current_user.addresses.build(address_params)
     authorize @address
     if @address.save
       render :create
@@ -30,7 +32,7 @@ def edit
 
   def update
     authorize @address
-    @address.assign_attributes(params.for(Address).refine)
+    @address.assign_attributes(address_params)
     @address = @address.duplicate_if_referenced!
     if @address.save
       render :update
@@ -53,4 +55,8 @@ def destroy
   def set_address
     @address = current_user.addresses.find(params[:id])
   end
+
+  def address_params
+    params.require(:address).permit(*ADDRESS_PARAMS)
+  end
 end

app/controllers/application_controller.rb

@@ -3,6 +3,11 @@
 #   See the COPYRIGHT file for details.
 
 class ApplicationController < ActionController::Base
+  PERMITTED_SEARCH_FORM_PARAMS = %i(
+    q fair ecologic small_and_precious condition category_id zip order_by search_in_content
+    exclude_category_ids
+  ).freeze
+
   ## Global security
   before_action :authenticate_user!
 
@@ -16,9 +21,6 @@ class ApplicationController < ActionController::Base
 
   layout :layout_by_param
 
-  # Arcane
-  include Arcane
-
   # Pundit
   include Pundit
   after_action :verify_authorized_with_exceptions, except: [:index, :feed, :ipn_notification, :contact]
@@ -72,10 +74,7 @@ def pundit_unverified_classes
   end
 
   def build_search_cache
-    search_params = {}
-    form_search_params = params.for(ArticleSearchForm)[:article_search_form]
-    search_params.merge!(form_search_params) if form_search_params.is_a?(Hash)
-    @search_cache = ArticleSearchForm.new(search_params)
+    @search_cache = ArticleSearchForm.new(params[:article_search_form])
   end
 
   # Caching security: Set response headers to prevent caching

app/controllers/article_templates_controller.rb

@@ -3,6 +3,8 @@
 #   See the COPYRIGHT file for details.
 
 class ArticleTemplatesController < ApplicationController
+  include ArticleParams
+
   respond_to :html
   responders :location, :flash
 
@@ -21,12 +23,12 @@ def edit
   def update
     authorize @article_template
 
-    save_images unless @article_template.update(params.for(@article_template).refine)
+    save_images unless @article_template.update(params.require(:article).permit(*ARTICLE_UPDATE_PARAMS))
     respond_with(@article_template, location: -> { collection_url })
   end
 
   def create
-    @article_template = current_user.articles.build(params.for(Article).refine)
+    @article_template = current_user.articles.build(params.require(:article).permit(*ARTICLE_CREATE_PARAMS))
     authorize @article_template
     @article_template.state = :template
 

app/controllers/articles_controller.rb

@@ -4,6 +4,7 @@
 
 class ArticlesController < ApplicationController
   include ArticleControllerFilters
+  include ArticleParams
 
   responders :location
   respond_to :html
@@ -36,7 +37,7 @@ def index
   end
 
   def create
-    @article = current_user.articles.build(params.for(Article).refine)
+    @article = current_user.articles.build(params.require(:article).permit(*ARTICLE_CREATE_PARAMS))
     if params && params[:article][:article_template_name].present?
       @article.save_as_template = '1'
     end
@@ -65,7 +66,7 @@ def update # Still needs Refactoring
       change_state
     else
       authorize @article
-      save_images unless @article.update(params.for(@article).refine)
+      save_images unless @article.update(params.require(:article).permit(*ARTICLE_UPDATE_PARAMS))
       respond_with @article
     end
   end
@@ -131,7 +132,7 @@ def change_state
   end
 
   def activate
-    @article.assign_attributes params.for(@article).refine
+    @article.assign_attributes params.require(:article).permit(*ARTICLE_UPDATE_PARAMS)
     authorize @article, :activate?
     if @article.activate
       flash[:notice] = I18n.t('article.notices.create_html')

app/controllers/comments_controller.rb

@@ -8,6 +8,7 @@ class CommentsController < ApplicationController
   # If you want to make another Class commentable,
   # add it to the COMMENTABLES-array
   COMMENTABLES = [Library, Article]
+  REQUIRED_PARAMS = %i(text).freeze
 
   respond_to :js
 
@@ -32,7 +33,7 @@ def index
   end
 
   def create
-    comment_data = { user: current_user }.merge(params.for(Comment).refine)
+    comment_data = { user: current_user }.merge(params.require(:comment).permit(REQUIRED_PARAMS))
     @comment = @commentable.comments.build(comment_data)
     authorize @comment
     respond_to do |format|

app/refineries/application_refinery.rb → app/controllers/concerns/address_params.rb

@@ -2,8 +2,8 @@
 #   licensed under the GNU Affero General Public License version 3 or later.
 #   See the COPYRIGHT file for details.
 
-# Shared functionality for refineries,
-# unless inherited this class will not
-# do anything.
-class ApplicationRefinery < Arcane::Refinery
+module AddressParams
+  extend ActiveSupport::Concern
+
+  ADDRESS_PARAMS = %i(title first_name last_name company_name address_line_1 address_line_2 city zip country).freeze
 end

app/controllers/concerns/article_params.rb

@@ -0,0 +1,78 @@
+#   Copyright (c) 2012-2017, Fairmondo eG.  This file is
+#   licensed under the GNU Affero General Public License version 3 or later.
+#   See the COPYRIGHT file for details.
+
+module ArticleParams
+  extend ActiveSupport::Concern
+
+  ARTICLE_CREATE_PARAMS = [
+    # Common attrs
+    :title, :content, :condition, :condition_extra, :quantity,
+    :borrowable, :swappable,
+    # :business_transaction_attributes, dont think they are needed right now
+    # Money attrs
+    :price_cents, :price, :vat,
+    # Payment attrs
+    :payment_details, :payment_bank_transfer, :payment_cash,
+    :payment_paypal, :payment_invoice, :payment_voucher,
+    :payment_cash_on_delivery, :payment_cash_on_delivery_price,
+    :payment_cash_on_delivery_price_cents, :payment_debit, :subscription,  # should we change the name to :payment_subscription ?
+    # Basic price attrs
+    :basic_price, :basic_price_cents, :basic_price_amount,
+    # Transport attrs
+    :transport_pickup,
+    :transport_type1, :transport_type1_price_cents,
+    :transport_type1_price, :transport_type1_provider,
+    :transport_type1_number,
+    :transport_type2, :transport_type2_price_cents,
+    :transport_type2_price, :transport_type2_provider,
+    :transport_type2_number,
+    :transport_details,
+    :unified_transport,
+    :transport_time,
+    # Category attrs
+    { category_ids: [] },
+    # Commendation attrs
+    :fair, :ecologic, :fair_kind, :fair_seal, :ecologic_seal,
+    :ecologic_kind, :upcycling_reason, :small_and_precious,
+    :small_and_precious_eu_small_enterprise, :small_and_precious_reason,
+    :small_and_precious_handmade,
+    { fair_trust_questionnaire_attributes: [
+      # Question 1: supports marginalized workers (req)
+      :support, :support_explanation, :support_other, { support_checkboxes: [] },
+      # Question 2: labor conditions acceptable? (req)
+      :labor_conditions, { labor_conditions_checkboxes: [] },
+      :labor_conditions_explanation, :labor_conditions_other,
+      # Question 3: is production environmentally friendly (opt)
+      :environment_protection, { environment_protection_checkboxes: [] },
+      :environment_protection_explanation, :environment_protection_other,
+      # Question 4: does controlling of these standards exist (req)
+      :controlling, { controlling_checkboxes: [] }, :controlling_explanation,
+      :controlling_other,
+      # Question 5: awareness raising programs supported? (opt)
+      :awareness_raising, { awareness_raising_checkboxes: [] },
+      :awareness_raising_explanation, :awareness_raising_other
+    ] },
+    { social_producer_questionnaire_attributes: [
+      :nonprofit_association, { nonprofit_association_checkboxes: [] },
+      :social_businesses_muhammad_yunus,
+      { social_businesses_muhammad_yunus_checkboxes: [] },
+      :social_entrepreneur, { social_entrepreneur_checkboxes: [] },
+      :social_entrepreneur_explanation
+    ] },
+    # Image attrs
+    { images_attributes: ImageParams::NESTED_IMAGE_PARAMS },
+    :image_2_url,
+    # Legal Entity attrs
+    :custom_seller_identifier, :gtin,
+    # Fees and Donations attrs
+    :friendly_percent, :friendly_percent_organisation_id,
+    # edit_as_new attr
+    :original_id,
+    # Template attrs
+    :save_as_template,
+    :article_template_name
+  ].freeze
+
+  ARTICLE_UPDATE_PARAMS = (ARTICLE_CREATE_PARAMS + %i[tos_accepted]).freeze
+end

app/controllers/concerns/business_transaction_params.rb

@@ -0,0 +1,16 @@
+#   Copyright (c) 2012-2017, Fairmondo eG.  This file is
+#   licensed under the GNU Affero General Public License version 3 or later.
+#   See the COPYRIGHT file for details.
+
+module BusinessTransactionParams
+  extend ActiveSupport::Concern
+
+  BUSINESS_TRANSACTION_PARAMS = %i(
+    selected_transport
+    selected_payment
+    quantity_bought
+    bike_courier_message
+    bike_courier_time
+    tos_bike_courier_accepte
+  ).freeze
+end

app/refineries/line_item_refinery.rb → app/controllers/concerns/image_params.rb

@@ -2,12 +2,9 @@
 #   licensed under the GNU Affero General Public License version 3 or later.
 #   See the COPYRIGHT file for details.
 
-class LineItemRefinery < ApplicationRefinery
-  def create
-    [:article_id, :requested_quantity]
-  end
+module ImageParams
+  extend ActiveSupport::Concern
 
-  def update
-    [:requested_quantity]
-  end
+  IMAGE_PARAMS = %i(image is_title).freeze
+  NESTED_IMAGE_PARAMS = (%i(_destroy, id) + IMAGE_PARAMS).freeze
 end

app/controllers/concerns/user_params.rb

@@ -0,0 +1,26 @@
+#   Copyright (c) 2012-2017, Fairmondo eG.  This file is
+#   licensed under the GNU Affero General Public License version 3 or later.
+#   See the COPYRIGHT file for details.
+
+module UserParams
+  extend ActiveSupport::Concern
+
+  USER_CREATE_PARAMS = %i(
+    email password new_terms_confirmed nickname type newsletter legal privacy
+    voluntary_contribution referral).freeze
+  USER_UPDATE_PARAMS = [
+    :current_password, # <- update specific
+    :email, :password, :password_confirmation, :remember_me, :type,
+    :nickname, :legal, :paypal_account, :banned,
+    :about_me, :phone, :mobile, :fax,
+    :company_name, :max_value_of_goods_cents_bonus,
+    :fastbill_profile_update, :vacationing, :newsletter, :receive_comments_notification,
+    :iban, :bic, :bank_name, :bank_account_owner, :direct_debit_confirmation,
+    :unified_transport_provider, :unified_transport_maximum_articles, :unified_transport_price,
+    :free_transport_available, :free_transport_at_price,
+    { image_attributes: ImageParams::IMAGE_PARAMS }
+  ].freeze
+  USER_UPDATE_LEGAL_ENTITY_PARAMS = %i(
+    terms cancellation about cancellation_form invoicing_email order_notifications_email
+  ).freeze
+end

app/controllers/contents_controller.rb

@@ -3,6 +3,8 @@
 #   See the COPYRIGHT file for details.
 
 class ContentsController < ApplicationController
+  REQUIRED_PARAMS = %i(body key layout).freeze
+
   responders :flash
   respond_to :html
   respond_to :js, if: lambda { request.xhr? }
@@ -36,7 +38,7 @@ def new
   end
 
   def create
-    @content = Content.new(params.for(Content).refine)
+    @content = Content.new(params.require(:content).permit(*REQUIRED_PARAMS))
     authorize @content
     @content.save
     respond_with @content
@@ -49,7 +51,7 @@ def edit
 
   def update
     authorize @content
-    @content.update(params.for(@content).refine)
+    @content.update(params.require(:content).permit(*REQUIRED_PARAMS))
     respond_with @content
   end
 

app/controllers/feedbacks_controller.rb

@@ -3,13 +3,21 @@
 #   See the COPYRIGHT file for details.
 
 class FeedbacksController < ApplicationController
+  include ImageParams
+
+  REQUIRED_PARAMS = [
+    :from, :subject, :text, :variety, :article_id, :feedback_subject,
+    :help_subject, :forename, :lastname, :organisation, :phone, :recaptcha,
+    { image_attributes: IMAGE_PARAMS }
+  ].freeze
+
   responders :location
   respond_to :html
   skip_before_action :authenticate_user!
 
   def create
     handle_recaptcha
-    @feedback = Feedback.new(params.for(Feedback).refine)
+    @feedback = Feedback.new(params.require(:feedback).permit(*REQUIRED_PARAMS))
     authorize @feedback
     @feedback.put_user_id current_user
     @feedback.source_page = JSON.pretty_generate session[:previous_urls]