Remove controller and live view param whitelisting (#2381)

joshk · nshoes · web-flow · commit 21d7c605ca7e · 2025-10-18T11:53:16.000+13:00
Ecto Changesets are the right way to do whitelisting, so this isn't needed. (Built upon #2380) --------- Co-authored-by: Nate Shoemaker <nshoes@users.noreply.github.com>
diff --git a/lib/nerves_hub_web.ex b/lib/nerves_hub_web.ex
@@ -39,12 +39,6 @@ defmodule NervesHubWeb do
 
       # Routes generation with the ~p sigil
       unquote(verified_routes())
-
-      def whitelist(params, keys) do
-        keys
-        |> Enum.filter(fn x -> !is_nil(params[to_string(x)]) end)
-        |> Map.new(fn x -> {x, params[to_string(x)]} end)
-      end
     end
   end
 
@@ -66,12 +60,6 @@ defmodule NervesHubWeb do
       unquote(verified_routes())
 
       action_fallback(NervesHubWeb.API.FallbackController)
-
-      def whitelist(params, keys) do
-        keys
-        |> Enum.filter(fn x -> !is_nil(params[to_string(x)]) end)
-        |> Map.new(fn x -> {x, params[to_string(x)]} end)
-      end
     end
   end
 
@@ -127,12 +115,6 @@ defmodule NervesHubWeb do
         |> assign(:tab_hint, tab)
       end
 
-      def whitelist(params, keys) do
-        keys
-        |> Enum.filter(fn x -> !is_nil(params[to_string(x)]) end)
-        |> Map.new(fn x -> {x, params[to_string(x)]} end)
-      end
-
       def analytics_enabled?(), do: Application.get_env(:nerves_hub, :analytics_enabled)
 
       unquote(tab_component_functions())
diff --git a/lib/nerves_hub_web/controllers/api/deployment_group_controller.ex b/lib/nerves_hub_web/controllers/api/deployment_group_controller.ex
@@ -5,16 +5,13 @@ defmodule NervesHubWeb.API.DeploymentGroupController do
   alias NervesHub.AuditLogs.DeploymentGroupTemplates
   alias NervesHub.Firmwares
   alias NervesHub.ManagedDeployments
-  alias NervesHub.ManagedDeployments.DeploymentGroup
 
   security([%{}, %{"bearer_auth" => []}])
   tags(["Deployment Groups"])
 
   plug(:validate_role, [org: :manage] when action in [:create, :update, :delete])
   plug(:validate_role, [org: :view] when action in [:index, :show])
 
-  @whitelist_fields [:name, :org_id, :firmware_id, :conditions, :is_active, :product_id]
-
   operation(:index, summary: "List all Deployment Groups for a Product")
 
   def index(%{assigns: %{product: product}} = conn, _params) do
@@ -68,13 +65,9 @@ defmodule NervesHubWeb.API.DeploymentGroupController do
       }) do
     with {:ok, deployment_group} <-
            ManagedDeployments.get_deployment_group_by_name(product, name),
-         {:ok, deployment_group_params} <- update_params(product, deployment_group_params),
-         deployment_group_params = whitelist(deployment_group_params, @whitelist_fields),
-         {:ok, %DeploymentGroup{} = updated_deployment_group} <-
-           ManagedDeployments.update_deployment_group(
-             deployment_group,
-             deployment_group_params
-           ) do
+         params = update_params(product, deployment_group_params),
+         {:ok, updated_deployment_group} <-
+           ManagedDeployments.update_deployment_group(deployment_group, params) do
       DeploymentGroupTemplates.audit_deployment_updated(user, deployment_group)
 
       render(conn, :show, deployment_group: updated_deployment_group)
@@ -95,10 +88,6 @@ defmodule NervesHubWeb.API.DeploymentGroupController do
     params
     |> maybe_active_from_state()
     |> maybe_firmware_id(product)
-    |> case do
-      %{} = params -> {:ok, params}
-      err -> err
-    end
   end
 
   defp maybe_active_from_state(%{"state" => state} = params) do
@@ -109,8 +98,12 @@ defmodule NervesHubWeb.API.DeploymentGroupController do
   defp maybe_active_from_state(params), do: params
 
   defp maybe_firmware_id(%{"firmware" => uuid} = params, product) do
-    with {:ok, firmware} <- Firmwares.get_firmware_by_product_and_uuid(product, uuid) do
-      Map.put(params, "firmware_id", firmware.id)
+    case Firmwares.get_firmware_by_product_and_uuid(product, uuid) do
+      {:ok, firmware} ->
+        Map.put(params, "firmware_id", firmware.id)
+
+      _ ->
+        params
     end
   end
 
diff --git a/lib/nerves_hub_web/controllers/api/firmware_controller.ex b/lib/nerves_hub_web/controllers/api/firmware_controller.ex
@@ -23,11 +23,9 @@ defmodule NervesHubWeb.API.FirmwareController do
   operation(:create, summary: "Upload a Firmware for a Product")
 
   def create(%{assigns: %{org: org, product: product}} = conn, params) do
-    params = whitelist(params, [:firmware])
-
     Logger.info("System Memory:" <> inspect(:memsup.get_system_memory_data()))
 
-    with {%{path: filepath}, _params} <- Map.pop(params, :firmware),
+    with {%{path: filepath}, _params} <- Map.pop(params, "firmware"),
          {:ok, firmware} <- Firmwares.create_firmware(org, filepath) do
       firmware = Repo.preload(firmware, :product)
 
diff --git a/lib/nerves_hub_web/live/orgs/new.ex b/lib/nerves_hub_web/live/orgs/new.ex
@@ -15,9 +15,9 @@ defmodule NervesHubWeb.Live.Orgs.New do
   end
 
   def handle_event("save_org", %{"org" => org_params}, socket) do
-    params = org_params |> whitelist([:name])
-
-    case Accounts.create_org(socket.assigns.user, params) do
+    socket.assigns.user
+    |> Accounts.create_org(org_params)
+    |> case do
       {:ok, org} ->
         {:noreply,
          socket
