Class: RuboCop::Cop::Betterment::AuthorizationInController

Inherits:
RuboCop::Cop
  • Object
show all
Defined in:
lib/rubocop/cop/betterment/authorization_in_controller.rb

Constant Summary collapse

MSG_UNSAFE_CREATE =

MSG_UNSAFE_CREATE = ‘Model created/updated using unsafe parameters’.freeze

<<~MSG
  Model created/updated using unsafe parameters.
  Please query for the associated record in a way that enforces authorization (e.g. "trust-root chaining"),
  and then pass the resulting object into your model instead of the unsafe parameter.

  INSTEAD OF THIS:
  post_parameters = params.permit(:album_id, :caption)
  Post.new(post_parameters)

  DO THIS:
  album = current_user.albums.find(params[:album_id])
  post_parameters = params.permit(:caption).merge(album: album)
  Post.new(post_parameters)

  See here for more information on this error:
  https://github.com/Betterment/betterlint/blob/main/README.md#bettermentauthorizationincontroller
MSG

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(config = nil, options = nil) ⇒ AuthorizationInController

Returns a new instance of AuthorizationInController.



36
37
38
39
40
41
42
# File 'lib/rubocop/cop/betterment/authorization_in_controller.rb', line 36

def initialize(config = nil, options = nil)
  super(config, options)
  config = @config.for_cop(self)
  @unsafe_parameters = config.fetch("unsafe_parameters", []).map(&:to_sym)
  @unsafe_regex = Regexp.new config.fetch("unsafe_regex", ".*_id$")
  @param_wrappers = []
end

Instance Attribute Details

#unsafe_parametersObject

Returns the value of attribute unsafe_parameters.



7
8
9
# File 'lib/rubocop/cop/betterment/authorization_in_controller.rb', line 7

def unsafe_parameters
  @unsafe_parameters
end

#unsafe_regexObject

Returns the value of attribute unsafe_regex.



7
8
9
# File 'lib/rubocop/cop/betterment/authorization_in_controller.rb', line 7

def unsafe_regex
  @unsafe_regex
end

Instance Method Details

#on_class(node) ⇒ Object



44
45
46
47
48
49
50
51
52
# File 'lib/rubocop/cop/betterment/authorization_in_controller.rb', line 44

def on_class(node)
  Utils::MethodReturnTable.populate_index node
  Utils::MethodReturnTable.indexed_methods.each do |method_name, method_returns|
    method_returns.each do |x|
      name = Utils::Parser.get_root_token(x)
      @param_wrappers << method_name if name == :params || @param_wrappers.include?(name)
    end
  end
end

#on_send(node) ⇒ Object

rubocop:disable Metrics/PerceivedComplexity



54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# File 'lib/rubocop/cop/betterment/authorization_in_controller.rb', line 54

def on_send(node) # rubocop:disable Metrics/PerceivedComplexity
  return if !model_new?(node) && !model_update?(node)

  node.arguments.each do |argument|
    if argument.send_type? || argument.variable?
      flag_literal_param_use(argument)
      flag_indirect_param_use(argument)
    elsif argument.hash_type?
      argument.children.select(&:pair_type?).each do |pair|
        _key, value = *pair.children
        flag_literal_param_use(value)
        flag_indirect_param_use(value)
      end
    end
  end
end