Skip to content

Commit

Permalink
[ARP-86023] ARP IPF: Fix ARP IPF controller param casing.
Browse files Browse the repository at this point in the history
  • Loading branch information
nihil2501 committed Sep 6, 2024
1 parent 048e3e1 commit 233b488
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 18 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ module V0
class InProgressFormsController < ApplicationController
def update
form = in_progress_form || new_form_for_user(form_id, @current_user)
form.update!(form_data: params[:formData], metadata: params[:metadata])
form.update!(form_params)

Check failure

Code scanning / CodeQL

Insecure Mass Assignment Critical

This mass assignment operation can assign user-controlled attributes from
this remote flow source
.

render json: InProgressFormSerializer.new(form)
end
Expand Down Expand Up @@ -44,6 +44,10 @@ def in_progress_form
InProgressForm.form_for_user(form_id, @current_user)
end

def form_params
params.permit(form_data: {}, metadata: {})
end

def form_id
params[:id]
end
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@
let(:initial_request_date) { Time.utc(2022, 3, 4, 5, 6, 7) }
let(:form_id) { '21a' }
let(:headers) { { 'Content-Type' => 'application/json' } }
let(:in_progress_form_id) { InProgressForm.last.id }

before do
Flipper.enable(:accredited_representative_portal_pilot)
Expand All @@ -17,15 +16,17 @@
describe 'requests' do
context 'can make requests to InProgressForms controller' do
it 'can make requests to InProgressForms controller' do
form = build(
:in_progress_form,
user_uuid: representative_user.uuid,
form_data: { field: 'value' },
form_id:
)

# Test for GET and DELETE of existing InProgressForm
Timecop.freeze(initial_request_date) do
form_data = { field: 'value' }
initial_in_progress_form = create(
:in_progress_form,
user_uuid: representative_user.uuid,
form_data:,
form_id:
)
form.save!

get("/accredited_representative_portal/v0/in_progress_forms/#{form_id}")
expect(parsed_response).to eq(
{
Expand All @@ -45,7 +46,7 @@
'createdAt' => 1_646_370_367,
'expiresAt' => 1_651_554_367,
'lastUpdated' => 1_646_370_367,
'inProgressFormId' => initial_in_progress_form.id
'inProgressFormId' => InProgressForm.last.id
}
}
)
Expand All @@ -56,12 +57,12 @@

# Test for PUT when InProgressForm does not exist
Timecop.freeze(initial_request_date + 1.day) do
form_data = { another_field: 'foo' }
put(
"/accredited_representative_portal/v0/in_progress_forms/#{form_id}",
params: { 'formData' => form_data }.to_json,
params: { 'form_data' => { another_field: 'foo' } }.to_json,
headers:
)

expect(parsed_response).to eq(
{
'data' => {
Expand All @@ -75,7 +76,7 @@
'createdAt' => 1_646_456_767,
'expiresAt' => 1_651_640_767,
'lastUpdated' => 1_646_456_767,
'inProgressFormId' => in_progress_form_id
'inProgressFormId' => InProgressForm.last.id
}
}
}
Expand All @@ -92,20 +93,20 @@
'createdAt' => 1_646_456_767,
'expiresAt' => 1_651_640_767,
'lastUpdated' => 1_646_456_767,
'inProgressFormId' => in_progress_form_id
'inProgressFormId' => InProgressForm.last.id
}
}
)
end

# Test for PUT and DELETE when InProgressForm does exist
Timecop.freeze(initial_request_date + 2.days) do
form_data = { another_field: 'foo', sample_field: 'sample' }
put(
"/accredited_representative_portal/v0/in_progress_forms/#{form_id}",
params: { 'formData' => form_data }.to_json,
params: { 'form_data' => { another_field: 'foo', sample_field: 'sample' } }.to_json,
headers:
)

expect(parsed_response).to eq(
{
'data' => {
Expand All @@ -119,7 +120,7 @@
'createdAt' => 1_646_456_767,
'expiresAt' => 1_651_727_167,
'lastUpdated' => 1_646_543_167,
'inProgressFormId' => in_progress_form_id
'inProgressFormId' => InProgressForm.last.id
}
}
}
Expand All @@ -137,7 +138,7 @@
'createdAt' => 1_646_456_767,
'expiresAt' => 1_651_727_167,
'lastUpdated' => 1_646_543_167,
'inProgressFormId' => in_progress_form_id
'inProgressFormId' => InProgressForm.last.id
}
}
)
Expand Down

0 comments on commit 233b488

Please sign in to comment.