Commit d5b923d9 authored by Vitali Tatarintev's avatar Vitali Tatarintev

Do not pass forbidden params to NotifyService

NotifyService doesn't need to know about some service params
such as "controller" and "action"
parent 8ef2d715
......@@ -19,6 +19,8 @@ module Projects
private
FORBIDDEN_PARAMS = %w(controller action namespace_id project_id).freeze
def project_without_auth
@project ||= Project
.find_by_full_path("#{params[:namespace_id]}/#{params[:project_id]}")
......@@ -34,7 +36,7 @@ module Projects
def notify_service
Projects::Alerting::NotifyService
.new(project, current_user, params.permit!)
.new(project, current_user, permitted_params)
end
def response_status(result)
......@@ -47,6 +49,10 @@ module Projects
:ok
end
end
def permitted_params
params.reject! { |param| param.in?(FORBIDDEN_PARAMS) }.permit!
end
end
end
end
......@@ -15,7 +15,7 @@ describe Projects::Alerting::NotificationsController do
end
def make_request(opts = {})
post :create, params: project_params, session: { as: :json }
post :create, params: project_params(opts), session: { as: :json }
end
context 'when feature flag is on' do
......@@ -24,11 +24,27 @@ describe Projects::Alerting::NotificationsController do
end
context 'when notification service succeeds' do
let(:payload) do
{
title: 'Alert title',
hosts: 'https://gitlab.com'
}
end
let(:permitted_params) { ActionController::Parameters.new(payload).permit! }
it 'responds with ok' do
make_request
expect(response).to have_gitlab_http_status(:ok)
end
it 'does not pass forbidden parameters to the notify service' do
make_request(payload)
expect(Projects::Alerting::NotifyService)
.to have_received(:new)
.with(project, nil, permitted_params)
end
end
context 'when notification service fails' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment