Skip to content

Commit

Permalink
whitelist editor_ids as parameter only for admins
Browse files Browse the repository at this point in the history
  • Loading branch information
fosterfarrell9 committed Apr 7, 2024
1 parent 1e6d953 commit d6cd530
Showing 1 changed file with 8 additions and 7 deletions.
15 changes: 8 additions & 7 deletions app/controllers/courses_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -94,13 +94,14 @@ def set_course_admin
end

def course_params
params.require(:course).permit(:title, :short_title, :organizational,
:organizational_concept, :locale,
:term_independent, :image,
tag_ids: [],
preceding_course_ids: [],
editor_ids: [],
division_ids: [])
allowed_params = [:title, :short_title, :organizational,
:organizational_concept, :locale,
:term_independent, :image,
{ tag_ids: [],
preceding_course_ids: [],
division_ids: [] }]
allowed_params.push({ editor_ids: [] }) if current_user.admin?
params.require(:course).permit(allowed_params)
end

def tag_params
Expand Down

0 comments on commit d6cd530

Please sign in to comment.