discourse/app/controllers/clicks_controller.rb
Ian Christian Myers 0d01c33482 Enabled strong_parameters across all models/controllers.
All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that.

The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method.

It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
2013-06-06 00:30:59 -07:00

29 lines
736 B
Ruby

class ClicksController < ApplicationController
skip_before_filter :check_xhr
def track
params = track_params.merge(ip: request.remote_ip)
if params[:topic_id].present? || params[:post_id].present?
params.merge!({ user_id: current_user.id }) if current_user.present?
TopicLinkClick.create_from(params)
end
# Sometimes we want to record a link without a 302. Since XHR has to load the redirected
# URL we want it to not return a 302 in those cases.
if params[:redirect] == 'false'
render nothing: true
else
redirect_to(params[:url])
end
end
private
def track_params
params.require(:url)
params.permit(:url, :post_id, :topic_id, :redirect)
end
end