New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed the questionnaire controller's create action [#136213257] #830
Conversation
@@ -26,7 +26,7 @@ def create | |||
end | |||
|
|||
def update | |||
@questionnaire.update_attributes(questionnaire_params) | |||
@questionnaire.attributes = questionnaire_params | |||
if @questionnaire.save |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think what you're wanting to do is if @questionnaire.update(questionnaire_params)
.
attributes =
will call assign_attributes
without any sanitation of the parameters, so it's possible to bypass mass-assignment security.
@@ -26,8 +26,7 @@ def create | |||
end | |||
|
|||
def update | |||
@questionnaire.update_attributes(questionnaire_params) | |||
if @questionnaire.save | |||
if @questionnaire.update(questionnaire_params) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because .update returns the object, rather than a boolean value, which isn't needed here, it might be better to just use .update_attributes.
http://stackoverflow.com/questions/27684038/rails-paperclip-update-vs-update-attributes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
.update_attributes is an alias for .update as of 4.0.2
http://apidock.com/rails/v4.0.2/ActiveRecord/Persistence/update_attributes
And .update does return false, but only if the object is invalid.
No description provided.