From b6ed11471e024001c3264f2f230804d740428f0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Mon, 6 Feb 2023 14:30:44 +0100
Subject: [PATCH] Simplify investment params filters in valuation

We weren't allowing the `budget_id` parameter and then we were adding it
manually. We were also allowing other parameters that aren't used in the
valuation section.

So we're allowing budget and heading, which are the only parameter we're
offering filters for in the user interface. Note the `budget_id`
parameter doesn't seem to make sense because we're already inside a
`@budget.investments` statement, but the `budget_id` parameter is
required by the `scoped_filter` method.
---
 app/controllers/valuation/budget_investments_controller.rb | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/app/controllers/valuation/budget_investments_controller.rb b/app/controllers/valuation/budget_investments_controller.rb
index 37f891617..6ebb4dd94 100644
--- a/app/controllers/valuation/budget_investments_controller.rb
+++ b/app/controllers/valuation/budget_investments_controller.rb
@@ -18,7 +18,7 @@ class Valuation::BudgetInvestmentsController < Valuation::BaseController
     @heading_filters = heading_filters
     @investments = if current_user.valuator? && @budget.present?
                      @budget.investments.visible_to_valuator(current_user.valuator)
-                            .scoped_filter(filtered_params, @current_filter)
+                            .scoped_filter(params.permit(:budget_id, :heading_id), @current_filter)
                             .order(cached_votes_up: :desc)
                             .page(params[:page])
                    else
@@ -93,10 +93,6 @@ class Valuation::BudgetInvestmentsController < Valuation::BaseController
       end
     end
 
-    def filtered_params
-      Budget::Investment.filter_params(params).to_h.except(:valuator_id).merge(budget_id: @budget.id)
-    end
-
     def valuation_params
       params.require(:budget_investment).permit(allowed_params)
     end