Migrate settings controllers to strong parameters

Author: mayorova

app/controllers/sites/settings_controller.rb

@@ -2,7 +2,6 @@ class Sites::SettingsController < Sites::BaseController
   provider_required
 
   before_action :find_settings
-  before_action :find_service, :only => [:edit, :policies, :accessrules]
 
   layout 'provider'
   activate_menu :audience, :finance, :credit_card_policies
@@ -11,22 +10,22 @@ def show
     redirect_to :action => :edit
   end
 
-  def edit
-  end
-
-  def accessrules
-  end
+  def edit; end
 
   def update
-    if @settings.update(params[:settings])
+    if @settings.update(settings_params)
       redirect_to edit_admin_site_settings_path, success: t('.success')
     else
-      render :accessrules
+      redirect_to edit_admin_site_settings_path, danger: t('.error')
     end
   end
 
   private
 
+  def settings_params
+    params.require(:settings).permit(:cc_terms_path, :cc_privacy_path, :cc_refunds_path)
+  end
+
   def find_settings
     @settings = current_account.settings
   end

app/models/settings.rb

@@ -4,8 +4,6 @@ class Settings < ApplicationRecord
 
   audited allow_mass_assignment: true
 
-  attr_protected :account_id, :tenant_id, :product, :audit_ids, :sso_key
-
   validates :product, inclusion: { in: %w[connect enterprise].freeze }
   validates :change_account_plan_permission, :change_service_plan_permission, inclusion: { in: %w[request none credit_card request_credit_card direct].freeze }
   validates :bg_colour, :link_colour, :text_colour, :menu_bg_colour, :link_label, :link_url, :menu_link_colour, :token_api,

config/locales/en.yml

@@ -1244,6 +1244,7 @@ en:
     settings:
       update:
         success: Settings updated
+        error: Settings could not be updated
     spam_protections:
       edit:
         selector_label: Protection against bots on the developer portal

test/integration/sites/emails_controller_test.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class Sites::SettingsControllerTest < ActionDispatch::IntegrationTest
+
+  test 'show emails tab if not master account' do
+    provider = FactoryBot.create(:provider_account)
+
+    login_provider provider
+
+    get edit_admin_site_emails_path
+
+    assert_response :success
+  end
+
+  test 'do not show emails tab if master account' do
+    ThreeScale.config.stubs(onpremises: true, tenant_mode: 'master')
+
+    member = FactoryBot.create(:simple_admin, account: master_account)
+    member.activate!
+
+    login! master_account, user: member
+
+    get edit_admin_site_emails_path
+
+    assert_response :forbidden
+  end
+
+end

test/integration/sites/settings_controller_test.rb

@@ -27,4 +27,43 @@ class Sites::SettingsControllerTest < ActionDispatch::IntegrationTest
     assert_response :forbidden
   end
 
+  test 'update credit card policies paths successfully' do
+    provider = FactoryBot.create(:provider_account)
+    login_provider provider
+
+    put admin_site_settings_path, params: {
+      settings: {
+        cc_terms_path: '/terms',
+        cc_privacy_path: '/privacy',
+        cc_refunds_path: '/refunds'
+      }
+    }
+
+    assert_redirected_to edit_admin_site_settings_path
+    assert_equal 'Settings updated', flash[:success]
+
+    provider.settings.reload
+    assert_equal '/terms', provider.settings.cc_terms_path
+    assert_equal '/privacy', provider.settings.cc_privacy_path
+    assert_equal '/refunds', provider.settings.cc_refunds_path
+  end
+
+  test 'update with empty values clears settings' do
+    provider = FactoryBot.create(:provider_account)
+    provider.settings.update(cc_terms_path: '/terms', cc_privacy_path: '/privacy')
+    login_provider provider
+
+    put admin_site_settings_path, params: {
+      settings: {
+        cc_terms_path: '',
+        cc_privacy_path: ''
+      }
+    }
+
+    assert_redirected_to edit_admin_site_settings_path
+
+    provider.settings.reload
+    assert_equal '', provider.settings.cc_terms_path
+    assert_equal '', provider.settings.cc_privacy_path
+  end
 end