Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed the questionnaire controller's create action [#136213257] #830

Merged
merged 2 commits into from Jan 10, 2017
Merged

Fixed the questionnaire controller's create action [#136213257] #830

merged 2 commits into from Jan 10, 2017

Conversation

BigChiefSmidgeums
Copy link
Contributor

No description provided.

jayhardee9
jayhardee9 suggested changes Dec 22, 2016
View reviewed changes
app/controllers/additional_details/questionnaires_controller.rb
@@ -26,7 +26,7 @@ def create
end

def update
@questionnaire.update_attributes(questionnaire_params)
@questionnaire.attributes = questionnaire_params
if @questionnaire.save
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think what you're wanting to do is if @questionnaire.update(questionnaire_params).
attributes = will call assign_attributes without any sanitation of the parameters, so it's possible to bypass mass-assignment security.

kayla-glick
kayla-glick previously requested changes Jan 6, 2017
View reviewed changes
app/controllers/additional_details/questionnaires_controller.rb
@@ -26,8 +26,7 @@ def create
end

def update
@questionnaire.update_attributes(questionnaire_params)
if @questionnaire.save
if @questionnaire.update(questionnaire_params)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because .update returns the object, rather than a boolean value, which isn't needed here, it might be better to just use .update_attributes.

http://stackoverflow.com/questions/27684038/rails-paperclip-update-vs-update-attributes

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.update_attributes is an alias for .update as of 4.0.2
http://apidock.com/rails/v4.0.2/ActiveRecord/Persistence/update_attributes

And .update does return false, but only if the object is invalid.

@jleonardw9 jleonardw9 merged commit d1341dd into master Jan 10, 2017
@jleonardw9 jleonardw9 deleted the jtm_questionnaire_controller_fix branch January 10, 2017 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jleonardw9 jleonardw9 jleonardw9 approved these changes

@jwiel86 jwiel86 jwiel86 approved these changes

@jayhardee9 jayhardee9 jayhardee9 approved these changes

@wtholt wtholt wtholt approved these changes

@kayla-glick kayla-glick kayla-glick left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@BigChiefSmidgeums @jleonardw9 @jwiel86 @jayhardee9 @wtholt @kayla-glick