mirror of
https://github.com/System-End/stickers.git
synced 2026-04-19 16:28:17 +00:00
fix: freeze fields on design submission to prevent fraudulent setting of approval (TY Charmunk!)
This commit is contained in:
parent
4395e2f264
commit
cc8d491e96
1 changed files with 7 additions and 3 deletions
|
|
@ -16,6 +16,8 @@ class DesignsTable < AirctiveRecord::Base
|
|||
end
|
||||
|
||||
class Designs < Base
|
||||
DESIGN_ALLOWED_FIELDS = %w[Name Description Image_URL].freeze
|
||||
|
||||
resource :designs do
|
||||
get :all do
|
||||
error!('Unauthorized', 401) unless current_user
|
||||
|
|
@ -53,9 +55,11 @@ class Designs < Base
|
|||
|
||||
post do
|
||||
error!('Unauthorized', 401) unless current_user
|
||||
fields = params[:fields] || {}
|
||||
fields['slack_id'] = current_user[:slack_id] || current_user[:id]
|
||||
DesignsTable.create(fields)
|
||||
safe_fields = (params[:fields] || {}).slice(*DESIGN_ALLOWED_FIELDS)
|
||||
safe_fields['slack_id'] = current_user[:slack_id] || current_user[:id]
|
||||
safe_fields['Status'] = 'pending'
|
||||
safe_fields['Votes'] = 0
|
||||
DesignsTable.create(safe_fields)
|
||||
end
|
||||
|
||||
route_param :id do
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue