Skip to content

Commit

Permalink
safe constantize of authorization_request_class
Browse files Browse the repository at this point in the history
  • Loading branch information
@JeSuisUnCaillou
JeSuisUnCaillou committed Jan 21, 2025
1 parent 80ea27c commit 1697426
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 2 deletions.
12 changes: 10 additions & 2 deletions app/controllers/reopen_authorizations_controller.rb
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
class ReopenAuthorizationsController < AuthenticatedUserController
before_action :extract_authorization
before_action :extract_authorization, :extract_authorization_request_class
before_action :authorize_authorization_reopening

def new; end
Expand All @@ -22,7 +22,7 @@ def reopen_authorization
ReopenAuthorization.call(
authorization: @authorization,
user: current_user,
authorization_request_class: params[:authorization_request_class].try(:constantize) # C'est pas hyper dangereux ce que je fait là par hasard ? (Constantize une string envoyée par le front)
authorization_request_class: @authorization_request_class
)
end

Expand All @@ -38,6 +38,14 @@ def extract_authorization
@authorization = authorization_request.authorizations.friendly.find(params[:authorization_id])
end

def extract_authorization_request_class
return if params[:authorization_request_class].blank?

raise ActionController::UnpermittedParameters unless AuthorizationDefinition.all_request_classes.map(&:to_s).include? params[:authorization_request_class]

@authorization_request_class = params[:authorization_request_class].constantize
end

def authorize_authorization_reopening
authorize @authorization, :reopen?
end
Expand Down
4 changes: 4 additions & 0 deletions app/models/authorization_definition.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,4 +91,8 @@ def startable_by_applicant
def authorization_request_class
@authorization_request_class ||= AuthorizationRequest.const_get(id.classify)
end

def self.all_request_classes
all.map(&:authorization_request_class)
end
end

0 comments on commit 1697426

Please sign in to comment.