1
0
Fork 0
mirror of https://github.com/mastodon/mastodon.git synced 2024-08-20 21:08:15 -07:00

Compare commits

...

2 commits

Author SHA1 Message Date
Matt Jankowski
10661810e2
Merge d51bdd10b3 into 549ab089ee 2024-07-31 11:06:49 +00:00
Matt Jankowski
d51bdd10b3 Extract permitted params constant in api controllers 2024-07-18 13:16:29 -04:00
11 changed files with 108 additions and 28 deletions

View file

@ -5,6 +5,19 @@ class Api::V1::Accounts::CredentialsController < Api::BaseController
before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, only: [:update] before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, only: [:update]
before_action :require_user! before_action :require_user!
PERMITTED_PARAMS = [
:avatar,
:bot,
:discoverable,
:display_name,
:header,
:hide_collections,
:indexable,
:locked,
:note,
fields_attributes: [:name, :value],
].freeze
def show def show
@account = current_account @account = current_account
render json: @account, serializer: REST::CredentialAccountSerializer render json: @account, serializer: REST::CredentialAccountSerializer
@ -23,18 +36,9 @@ class Api::V1::Accounts::CredentialsController < Api::BaseController
private private
def account_params def account_params
params.permit( params
:display_name, .slice(*PERMITTED_PARAMS)
:note, .permit(*PERMITTED_PARAMS)
:avatar,
:header,
:locked,
:bot,
:discoverable,
:hide_collections,
:indexable,
fields_attributes: [:name, :value]
)
end end
def user_params def user_params

View file

@ -3,6 +3,14 @@
class Api::V1::Admin::AccountActionsController < Api::BaseController class Api::V1::Admin::AccountActionsController < Api::BaseController
include Authorization include Authorization
PERMITTED_PARAMS = %i(
report_id
send_email_notification
text
type
warning_preset_id
).freeze
before_action -> { authorize_if_got_token! :'admin:write', :'admin:write:accounts' } before_action -> { authorize_if_got_token! :'admin:write', :'admin:write:accounts' }
before_action :set_account before_action :set_account
@ -26,12 +34,8 @@ class Api::V1::Admin::AccountActionsController < Api::BaseController
end end
def resource_params def resource_params
params.permit( params
:type, .slice(*PERMITTED_PARAMS)
:report_id, .permit(*PERMITTED_PARAMS)
:warning_preset_id,
:text,
:send_email_notification
)
end end
end end

View file

@ -108,7 +108,9 @@ class Api::V1::Admin::AccountsController < Api::BaseController
end end
def filter_params def filter_params
params.permit(*FILTER_PARAMS) params
.slice(*FILTER_PARAMS)
.permit(*FILTER_PARAMS)
end end
def translated_filter_params def translated_filter_params

View file

@ -14,6 +14,15 @@ class Api::V1::Admin::DomainBlocksController < Api::BaseController
after_action :verify_authorized after_action :verify_authorized
after_action :insert_pagination_headers, only: :index after_action :insert_pagination_headers, only: :index
PERMITTED_PARAMS = %i(
obfuscate
private_comment
public_comment
reject_media
reject_reports
severity
).freeze
def index def index
authorize :domain_block, :index? authorize :domain_block, :index?
render json: @domain_blocks, each_serializer: REST::Admin::DomainBlockSerializer render json: @domain_blocks, each_serializer: REST::Admin::DomainBlockSerializer
@ -67,7 +76,9 @@ class Api::V1::Admin::DomainBlocksController < Api::BaseController
end end
def domain_block_params def domain_block_params
params.permit(:severity, :reject_media, :reject_reports, :private_comment, :public_comment, :obfuscate) params
.slice(*PERMITTED_PARAMS)
.permit(*PERMITTED_PARAMS)
end end
def next_path def next_path

View file

@ -14,6 +14,13 @@ class Api::V1::Admin::IpBlocksController < Api::BaseController
after_action :verify_authorized after_action :verify_authorized
after_action :insert_pagination_headers, only: :index after_action :insert_pagination_headers, only: :index
PERMITTED_PARAMS = %i(
comment
expires_in
ip
severity
).freeze
def index def index
authorize :ip_block, :index? authorize :ip_block, :index?
render json: @ip_blocks, each_serializer: REST::Admin::IpBlockSerializer render json: @ip_blocks, each_serializer: REST::Admin::IpBlockSerializer
@ -56,7 +63,9 @@ class Api::V1::Admin::IpBlocksController < Api::BaseController
end end
def resource_params def resource_params
params.permit(:ip, :severity, :comment, :expires_in) params
.slice(*PERMITTED_PARAMS)
.permit(*PERMITTED_PARAMS)
end end
def next_path def next_path

View file

@ -11,6 +11,12 @@ class Api::V1::ListsController < Api::BaseController
render json: { error: e.to_s }, status: 422 render json: { error: e.to_s }, status: 422
end end
PERMITTED_PARAMS = %i(
exclusive
replies_policy
title
).freeze
def index def index
@lists = List.where(account: current_account).all @lists = List.where(account: current_account).all
render json: @lists, each_serializer: REST::ListSerializer render json: @lists, each_serializer: REST::ListSerializer
@ -42,6 +48,8 @@ class Api::V1::ListsController < Api::BaseController
end end
def list_params def list_params
params.permit(:title, :replies_policy, :exclusive) params
.slice(*PERMITTED_PARAMS)
.permit(*PERMITTED_PARAMS)
end end
end end

View file

@ -6,6 +6,17 @@ class Api::V1::ReportsController < Api::BaseController
override_rate_limit_headers :create, family: :reports override_rate_limit_headers :create, family: :reports
PERMITTED_PARAMS = [
:account_id,
:category,
:comment,
:forward,
:rule_ids,
forward_to_domains: [],
rule_ids: [],
status_ids: [],
].freeze
def create def create
@report = ReportService.new.call( @report = ReportService.new.call(
current_account, current_account,
@ -23,6 +34,6 @@ class Api::V1::ReportsController < Api::BaseController
end end
def report_params def report_params
params.permit(:account_id, :comment, :category, :forward, forward_to_domains: [], status_ids: [], rule_ids: []) params.permit(*PERMITTED_PARAMS)
end end
end end

View file

@ -11,6 +11,10 @@ class Api::V1::Statuses::ReblogsController < Api::V1::Statuses::BaseController
override_rate_limit_headers :create, family: :statuses override_rate_limit_headers :create, family: :statuses
PERMITTED_PARAMS = %i(
visibility
).freeze
def create def create
with_redis_lock("reblog:#{current_account.id}:#{@reblog.id}") do with_redis_lock("reblog:#{current_account.id}:#{@reblog.id}") do
@status = ReblogService.new.call(current_account, @reblog, reblog_params) @status = ReblogService.new.call(current_account, @reblog, reblog_params)
@ -50,6 +54,8 @@ class Api::V1::Statuses::ReblogsController < Api::V1::Statuses::BaseController
end end
def reblog_params def reblog_params
params.permit(:visibility) params
.slice(*PERMITTED_PARAMS)
.permit(*PERMITTED_PARAMS)
end end
end end

View file

@ -8,6 +8,11 @@ class Api::V2::Filters::KeywordsController < Api::BaseController
before_action :set_keywords, only: :index before_action :set_keywords, only: :index
before_action :set_keyword, only: [:show, :update, :destroy] before_action :set_keyword, only: [:show, :update, :destroy]
PERMITTED_PARAMS = %i(
keyword
whole_word
).freeze
def index def index
render json: @keywords, each_serializer: REST::FilterKeywordSerializer render json: @keywords, each_serializer: REST::FilterKeywordSerializer
end end
@ -45,6 +50,8 @@ class Api::V2::Filters::KeywordsController < Api::BaseController
end end
def resource_params def resource_params
params.permit(:keyword, :whole_word) params
.slice(*PERMITTED_PARAMS)
.permit(*PERMITTED_PARAMS)
end end
end end

View file

@ -8,6 +8,10 @@ class Api::V2::Filters::StatusesController < Api::BaseController
before_action :set_status_filters, only: :index before_action :set_status_filters, only: :index
before_action :set_status_filter, only: [:show, :destroy] before_action :set_status_filter, only: [:show, :destroy]
PERMITTED_PARAMS = %i(
status_id
).freeze
def index def index
render json: @status_filters, each_serializer: REST::FilterStatusSerializer render json: @status_filters, each_serializer: REST::FilterStatusSerializer
end end
@ -39,6 +43,8 @@ class Api::V2::Filters::StatusesController < Api::BaseController
end end
def resource_params def resource_params
params.permit(:status_id) params
.slice(*PERMITTED_PARAMS)
.permit(*PERMITTED_PARAMS)
end end
end end

View file

@ -5,6 +5,17 @@ class Api::V2::SearchController < Api::BaseController
RESULTS_LIMIT = 20 RESULTS_LIMIT = 20
SEARCH_PARAMS = %i(
account_id
following
max_id
min_id
offset
q
resolve
type
).freeze
before_action -> { authorize_if_got_token! :read, :'read:search' } before_action -> { authorize_if_got_token! :read, :'read:search' }
before_action :validate_search_params! before_action :validate_search_params!
@ -63,6 +74,7 @@ class Api::V2::SearchController < Api::BaseController
end end
def search_params def search_params
params.permit(:type, :offset, :min_id, :max_id, :account_id, :following) params
.permit(*SEARCH_PARAMS)
end end
end end