Class: RuboCop::Cop::Betterment::AuthorizationInController

Inherits:

RuboCop::Cop

Object
RuboCop::Cop
RuboCop::Cop::Betterment::AuthorizationInController

show all

Defined in:: lib/rubocop/cop/betterment/authorization_in_controller.rb

Constant Summary collapse

MSG_UNSAFE_CREATE = MSG_UNSAFE_CREATE = ‘Model created/updated using unsafe parameters’.freeze

"Model created/updated using unsafe parameters.\nPlease query for the associated record in a way that enforces authorization (e.g. \"trust-root chaining\"),\nand then pass the resulting object into your model instead of the unsafe parameter.\n\nINSTEAD OF THIS:\npost_parameters = params.permit(:album_id, :caption)\nPost.new(post_parameters)\n\nDO THIS:\nalbum = current_user.albums.find(params[:album_id])\npost_parameters = params.permit(:caption).merge(album: album)\nPost.new(post_parameters)\n\nSee here for more information on this error:\nhttps://github.com/Betterment/rubocop-betterment/blob/master/README.md#bettermentauthorizationincontroller\n".freeze

Instance Attribute Summary collapse

#unsafe_parameters ⇒ Object

Returns the value of attribute unsafe_parameters.
#unsafe_regex ⇒ Object

Returns the value of attribute unsafe_regex.

Instance Method Summary collapse

#initialize(config = nil, options = nil) ⇒ AuthorizationInController constructor

A new instance of AuthorizationInController.
#on_class(node) ⇒ Object
#on_send(node) ⇒ Object

rubocop:disable Metrics/AbcSize,Metrics/PerceivedComplexity.

Constructor Details

#initialize(config = nil, options = nil) ⇒ `AuthorizationInController`

Returns a new instance of AuthorizationInController.

# File 'lib/rubocop/cop/betterment/authorization_in_controller.rb', line 34

def initialize(config = nil, options = nil)
  super(config, options)
  config = @config.for_cop(self)
  @unsafe_parameters = config.fetch("unsafe_parameters", []).map(&:to_sym)
  @unsafe_regex = Regexp.new config.fetch("unsafe_regex", ".*_id$")
  @wrapper_methods = {}
  @wrapper_names = []
end

Instance Attribute Details

#unsafe_parameters ⇒ `Object`

Returns the value of attribute unsafe_parameters.



5
6
7

# File 'lib/rubocop/cop/betterment/authorization_in_controller.rb', line 5

def unsafe_parameters
  @unsafe_parameters
end

#unsafe_regex ⇒ `Object`

Returns the value of attribute unsafe_regex.



5
6
7

# File 'lib/rubocop/cop/betterment/authorization_in_controller.rb', line 5

def unsafe_regex
  @unsafe_regex
end

Instance Method Details

#on_class(node) ⇒ `Object`

# File 'lib/rubocop/cop/betterment/authorization_in_controller.rb', line 43

def on_class(node)
  track_methods(node)
  track_assignments(node)
end

#on_send(node) ⇒ `Object`

rubocop:disable Metrics/AbcSize,Metrics/PerceivedComplexity

# File 'lib/rubocop/cop/betterment/authorization_in_controller.rb', line 48

def on_send(node) # rubocop:disable Metrics/AbcSize,Metrics/PerceivedComplexity
  _receiver_node, _method_name, *arg_nodes = *node

  return if !model_new?(node) && !model_update?(node)

  arg_nodes.each do |argument|
    if argument.type == :send
      tag_unsafe_param_hash(argument)
      tag_unsafe_param_permit_wrapper(argument)
    elsif argument.variable?
      tag_unsafe_param_permit_wrapper(argument)
    elsif argument.type == :hash
      argument.children.each do |pair|
        next if pair.type != :pair

        _key, value = *pair.children
        tag_unsafe_param_hash(value)
        tag_unsafe_param_permit_wrapper(value)
      end
    end
  end
end