Only allow valid heat network options

quintel · Apr 29, 2024 · 24a296e · 24a296e
1 parent c57402a
commit 24a296e
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/app/controllers/api/v3/user_sortables_controller.rb b/app/controllers/api/v3/user_sortables_controller.rb
@@ -70,6 +70,14 @@ def sortable_subtype
         params.permit(:subtype)[:subtype] if params.key?(:subtype)
       end
 
+      def assert_valid_sortable_subtype
+        return unless sortable_subtype
+
+        if sortable_name == :heat_network_order && %i[lt mt ht].exclude?(sortable_subtype)
+          render_not_found
+        end
+      end
+
       def sortable_params
         if params.key?(:order)
           params.permit(order: [])