From c743cc689d6d0f2d2a78e83734c966e93f3f2023 Mon Sep 17 00:00:00 2001 From: Pete Matsyburka Date: Thu, 29 Feb 2024 23:59:49 +0200 Subject: [PATCH] validate account config keys --- app/controllers/account_configs_controller.rb | 4 ++- .../personalization_settings_controller.rb | 31 +++++++++++++++---- app/controllers/user_configs_controller.rb | 4 ++- lib/replace_email_variables.rb | 2 +- 4 files changed, 32 insertions(+), 9 deletions(-) diff --git a/app/controllers/account_configs_controller.rb b/app/controllers/account_configs_controller.rb index 5d33a547..1732423c 100644 --- a/app/controllers/account_configs_controller.rb +++ b/app/controllers/account_configs_controller.rb @@ -11,6 +11,8 @@ class AccountConfigsController < ApplicationController AccountConfig::ESIGNING_PREFERENCE_KEY ].freeze + InvalidKey = Class.new(StandardError) + def create @account_config.update!(account_config_params) @@ -20,7 +22,7 @@ class AccountConfigsController < ApplicationController private def load_account_config - return head :not_found unless ALLOWED_KEYS.include?(account_config_params[:key]) + raise InvalidKey unless ALLOWED_KEYS.include?(account_config_params[:key]) @account_config = AccountConfig.find_or_initialize_by(account: current_account, key: account_config_params[:key]) diff --git a/app/controllers/personalization_settings_controller.rb b/app/controllers/personalization_settings_controller.rb index 58a641de..1d147a5e 100644 --- a/app/controllers/personalization_settings_controller.rb +++ b/app/controllers/personalization_settings_controller.rb @@ -1,23 +1,42 @@ # frozen_string_literal: true class PersonalizationSettingsController < ApplicationController + ALLOWED_KEYS = [ + AccountConfig::FORM_COMPLETED_BUTTON_KEY, + AccountConfig::SUBMITTER_INVITATION_EMAIL_KEY, + AccountConfig::SUBMITTER_DOCUMENTS_COPY_EMAIL_KEY, + AccountConfig::SUBMITTER_COMPLETED_EMAIL_KEY + ].freeze + + InvalidKey = Class.new(StandardError) + + before_action :load_and_authorize_account_config, only: :create + def show authorize!(:read, AccountConfig) end def create - account_config = - current_account.account_configs.find_or_initialize_by(key: account_config_params[:key]) - - authorize!(:create, account_config) - - account_config.update!(account_config_params) + @account_config.save! redirect_back(fallback_location: settings_personalization_path, notice: 'Settings have been saved.') end private + def load_and_authorize_account_config + @account_config = + current_account.account_configs.find_or_initialize_by(key: account_config_params[:key]) + + @account_config.assign_attributes(account_config_params) + + authorize!(:create, @account_config) + + raise InvalidKey unless ALLOWED_KEYS.include?(@account_config.key) + + @account_config + end + def account_config_params attrs = params.require(:account_config).permit! diff --git a/app/controllers/user_configs_controller.rb b/app/controllers/user_configs_controller.rb index 124e5d63..834cc1d9 100644 --- a/app/controllers/user_configs_controller.rb +++ b/app/controllers/user_configs_controller.rb @@ -8,6 +8,8 @@ class UserConfigsController < ApplicationController UserConfig::RECEIVE_COMPLETED_EMAIL ].freeze + InvalidKey = Class.new(StandardError) + def create @user_config.update!(user_config_params) @@ -17,7 +19,7 @@ class UserConfigsController < ApplicationController private def load_user_config - return head :not_found unless ALLOWED_KEYS.include?(user_config_params[:key]) + raise InvalidKey unless ALLOWED_KEYS.include?(user_config_params[:key]) @user_config = UserConfig.find_or_initialize_by(user: current_user, key: user_config_params[:key]) diff --git a/lib/replace_email_variables.rb b/lib/replace_email_variables.rb index 5fbe881f..60f7a11c 100644 --- a/lib/replace_email_variables.rb +++ b/lib/replace_email_variables.rb @@ -38,7 +38,7 @@ module ReplaceEmailVariables text = text.gsub(DOCUMENTS_LINKS, build_documents_links_text(submitter, sig)) text = text.gsub(DOCUMENTS_LINK, build_documents_links_text(submitter, sig)) - text = text.gsub(ACCOUNT_NAME, submitter.template.account.name) if submitter.template + text = text.gsub(ACCOUNT_NAME, submitter.account.name) if submitter.account text end