From d51bdd10b38f98c51be93b8a7e4eb240d71c6878 Mon Sep 17 00:00:00 2001 From: Matt Jankowski Date: Tue, 11 Jun 2024 13:13:59 -0400 Subject: [PATCH] Extract permitted params constant in api controllers --- .../api/v1/accounts/credentials_controller.rb | 28 +++++++++++-------- .../v1/admin/account_actions_controller.rb | 18 +++++++----- .../api/v1/admin/accounts_controller.rb | 4 ++- .../api/v1/admin/domain_blocks_controller.rb | 13 ++++++++- .../api/v1/admin/ip_blocks_controller.rb | 11 +++++++- app/controllers/api/v1/lists_controller.rb | 10 ++++++- app/controllers/api/v1/reports_controller.rb | 13 ++++++++- .../api/v1/statuses/reblogs_controller.rb | 8 +++++- .../api/v2/filters/keywords_controller.rb | 9 +++++- .../api/v2/filters/statuses_controller.rb | 8 +++++- app/controllers/api/v2/search_controller.rb | 14 +++++++++- 11 files changed, 108 insertions(+), 28 deletions(-) diff --git a/app/controllers/api/v1/accounts/credentials_controller.rb b/app/controllers/api/v1/accounts/credentials_controller.rb index a378425183b..601084c660c 100644 --- a/app/controllers/api/v1/accounts/credentials_controller.rb +++ b/app/controllers/api/v1/accounts/credentials_controller.rb @@ -5,6 +5,19 @@ class Api::V1::Accounts::CredentialsController < Api::BaseController before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, only: [:update] before_action :require_user! + PERMITTED_PARAMS = [ + :avatar, + :bot, + :discoverable, + :display_name, + :header, + :hide_collections, + :indexable, + :locked, + :note, + fields_attributes: [:name, :value], + ].freeze + def show @account = current_account render json: @account, serializer: REST::CredentialAccountSerializer @@ -23,18 +36,9 @@ class Api::V1::Accounts::CredentialsController < Api::BaseController private def account_params - params.permit( - :display_name, - :note, - :avatar, - :header, - :locked, - :bot, - :discoverable, - :hide_collections, - :indexable, - fields_attributes: [:name, :value] - ) + params + .slice(*PERMITTED_PARAMS) + .permit(*PERMITTED_PARAMS) end def user_params diff --git a/app/controllers/api/v1/admin/account_actions_controller.rb b/app/controllers/api/v1/admin/account_actions_controller.rb index 7249797a40b..94d3b98ccef 100644 --- a/app/controllers/api/v1/admin/account_actions_controller.rb +++ b/app/controllers/api/v1/admin/account_actions_controller.rb @@ -3,6 +3,14 @@ class Api::V1::Admin::AccountActionsController < Api::BaseController include Authorization + PERMITTED_PARAMS = %i( + report_id + send_email_notification + text + type + warning_preset_id + ).freeze + before_action -> { authorize_if_got_token! :'admin:write', :'admin:write:accounts' } before_action :set_account @@ -26,12 +34,8 @@ class Api::V1::Admin::AccountActionsController < Api::BaseController end def resource_params - params.permit( - :type, - :report_id, - :warning_preset_id, - :text, - :send_email_notification - ) + params + .slice(*PERMITTED_PARAMS) + .permit(*PERMITTED_PARAMS) end end diff --git a/app/controllers/api/v1/admin/accounts_controller.rb b/app/controllers/api/v1/admin/accounts_controller.rb index ff6f41e01da..970c7c5c6a3 100644 --- a/app/controllers/api/v1/admin/accounts_controller.rb +++ b/app/controllers/api/v1/admin/accounts_controller.rb @@ -108,7 +108,9 @@ class Api::V1::Admin::AccountsController < Api::BaseController end def filter_params - params.permit(*FILTER_PARAMS) + params + .slice(*FILTER_PARAMS) + .permit(*FILTER_PARAMS) end def translated_filter_params diff --git a/app/controllers/api/v1/admin/domain_blocks_controller.rb b/app/controllers/api/v1/admin/domain_blocks_controller.rb index a20a4a9c7f8..ab97d6cab39 100644 --- a/app/controllers/api/v1/admin/domain_blocks_controller.rb +++ b/app/controllers/api/v1/admin/domain_blocks_controller.rb @@ -14,6 +14,15 @@ class Api::V1::Admin::DomainBlocksController < Api::BaseController after_action :verify_authorized after_action :insert_pagination_headers, only: :index + PERMITTED_PARAMS = %i( + obfuscate + private_comment + public_comment + reject_media + reject_reports + severity + ).freeze + def index authorize :domain_block, :index? render json: @domain_blocks, each_serializer: REST::Admin::DomainBlockSerializer @@ -72,7 +81,9 @@ class Api::V1::Admin::DomainBlocksController < Api::BaseController end def domain_block_params - params.permit(:severity, :reject_media, :reject_reports, :private_comment, :public_comment, :obfuscate) + params + .slice(*PERMITTED_PARAMS) + .permit(*PERMITTED_PARAMS) end def next_path diff --git a/app/controllers/api/v1/admin/ip_blocks_controller.rb b/app/controllers/api/v1/admin/ip_blocks_controller.rb index e132a3a87d6..9f46b0e6053 100644 --- a/app/controllers/api/v1/admin/ip_blocks_controller.rb +++ b/app/controllers/api/v1/admin/ip_blocks_controller.rb @@ -14,6 +14,13 @@ class Api::V1::Admin::IpBlocksController < Api::BaseController after_action :verify_authorized after_action :insert_pagination_headers, only: :index + PERMITTED_PARAMS = %i( + comment + expires_in + ip + severity + ).freeze + def index authorize :ip_block, :index? render json: @ip_blocks, each_serializer: REST::Admin::IpBlockSerializer @@ -56,7 +63,9 @@ class Api::V1::Admin::IpBlocksController < Api::BaseController end def resource_params - params.permit(:ip, :severity, :comment, :expires_in) + params + .slice(*PERMITTED_PARAMS) + .permit(*PERMITTED_PARAMS) end def next_path diff --git a/app/controllers/api/v1/lists_controller.rb b/app/controllers/api/v1/lists_controller.rb index 4bbbed26735..28f065daabb 100644 --- a/app/controllers/api/v1/lists_controller.rb +++ b/app/controllers/api/v1/lists_controller.rb @@ -11,6 +11,12 @@ class Api::V1::ListsController < Api::BaseController render json: { error: e.to_s }, status: 422 end + PERMITTED_PARAMS = %i( + exclusive + replies_policy + title + ).freeze + def index @lists = List.where(account: current_account).all render json: @lists, each_serializer: REST::ListSerializer @@ -42,6 +48,8 @@ class Api::V1::ListsController < Api::BaseController end def list_params - params.permit(:title, :replies_policy, :exclusive) + params + .slice(*PERMITTED_PARAMS) + .permit(*PERMITTED_PARAMS) end end diff --git a/app/controllers/api/v1/reports_controller.rb b/app/controllers/api/v1/reports_controller.rb index 72f358bb5bc..9cb7b691cad 100644 --- a/app/controllers/api/v1/reports_controller.rb +++ b/app/controllers/api/v1/reports_controller.rb @@ -6,6 +6,17 @@ class Api::V1::ReportsController < Api::BaseController override_rate_limit_headers :create, family: :reports + PERMITTED_PARAMS = [ + :account_id, + :category, + :comment, + :forward, + :rule_ids, + forward_to_domains: [], + rule_ids: [], + status_ids: [], + ].freeze + def create @report = ReportService.new.call( current_account, @@ -23,6 +34,6 @@ class Api::V1::ReportsController < Api::BaseController end def report_params - params.permit(:account_id, :comment, :category, :forward, forward_to_domains: [], status_ids: [], rule_ids: []) + params.permit(*PERMITTED_PARAMS) end end diff --git a/app/controllers/api/v1/statuses/reblogs_controller.rb b/app/controllers/api/v1/statuses/reblogs_controller.rb index 971b054c548..78254ad6434 100644 --- a/app/controllers/api/v1/statuses/reblogs_controller.rb +++ b/app/controllers/api/v1/statuses/reblogs_controller.rb @@ -11,6 +11,10 @@ class Api::V1::Statuses::ReblogsController < Api::V1::Statuses::BaseController override_rate_limit_headers :create, family: :statuses + PERMITTED_PARAMS = %i( + visibility + ).freeze + def create with_redis_lock("reblog:#{current_account.id}:#{@reblog.id}") do @status = ReblogService.new.call(current_account, @reblog, reblog_params) @@ -50,6 +54,8 @@ class Api::V1::Statuses::ReblogsController < Api::V1::Statuses::BaseController end def reblog_params - params.permit(:visibility) + params + .slice(*PERMITTED_PARAMS) + .permit(*PERMITTED_PARAMS) end end diff --git a/app/controllers/api/v2/filters/keywords_controller.rb b/app/controllers/api/v2/filters/keywords_controller.rb index fe1a9919447..f7734feed4e 100644 --- a/app/controllers/api/v2/filters/keywords_controller.rb +++ b/app/controllers/api/v2/filters/keywords_controller.rb @@ -8,6 +8,11 @@ class Api::V2::Filters::KeywordsController < Api::BaseController before_action :set_keywords, only: :index before_action :set_keyword, only: [:show, :update, :destroy] + PERMITTED_PARAMS = %i( + keyword + whole_word + ).freeze + def index render json: @keywords, each_serializer: REST::FilterKeywordSerializer end @@ -45,6 +50,8 @@ class Api::V2::Filters::KeywordsController < Api::BaseController end def resource_params - params.permit(:keyword, :whole_word) + params + .slice(*PERMITTED_PARAMS) + .permit(*PERMITTED_PARAMS) end end diff --git a/app/controllers/api/v2/filters/statuses_controller.rb b/app/controllers/api/v2/filters/statuses_controller.rb index 2e95497a665..7f91fa703f1 100644 --- a/app/controllers/api/v2/filters/statuses_controller.rb +++ b/app/controllers/api/v2/filters/statuses_controller.rb @@ -8,6 +8,10 @@ class Api::V2::Filters::StatusesController < Api::BaseController before_action :set_status_filters, only: :index before_action :set_status_filter, only: [:show, :destroy] + PERMITTED_PARAMS = %i( + status_id + ).freeze + def index render json: @status_filters, each_serializer: REST::FilterStatusSerializer end @@ -39,6 +43,8 @@ class Api::V2::Filters::StatusesController < Api::BaseController end def resource_params - params.permit(:status_id) + params + .slice(*PERMITTED_PARAMS) + .permit(*PERMITTED_PARAMS) end end diff --git a/app/controllers/api/v2/search_controller.rb b/app/controllers/api/v2/search_controller.rb index 3cfc6e7919c..6aea367254e 100644 --- a/app/controllers/api/v2/search_controller.rb +++ b/app/controllers/api/v2/search_controller.rb @@ -5,6 +5,17 @@ class Api::V2::SearchController < Api::BaseController RESULTS_LIMIT = 20 + SEARCH_PARAMS = %i( + account_id + following + max_id + min_id + offset + q + resolve + type + ).freeze + before_action -> { authorize_if_got_token! :read, :'read:search' } before_action :validate_search_params! @@ -63,6 +74,7 @@ class Api::V2::SearchController < Api::BaseController end def search_params - params.permit(:type, :offset, :min_id, :max_id, :account_id, :following) + params + .permit(*SEARCH_PARAMS) end end