8a47fe3505
Although it wasn't a real security concern because we were only calling a `find` method based on the user input, it's a good practice to avoid using constants based on user parameters. Since we don't use the `find` method anymore but we still need to check the associated record exists, we're changing the `followable` validation in the `Follow` model to do exactly that.
28 lines
779 B
Ruby
28 lines
779 B
Ruby
class FollowsController < ApplicationController
|
|
before_action :authenticate_user!
|
|
load_and_authorize_resource
|
|
|
|
def create
|
|
@follow = current_user.follows.create!(follow_params)
|
|
flash.now[:notice] = t("shared.followable.#{followable_translation_key(@follow.followable)}.create.notice")
|
|
render :refresh_follow_button
|
|
end
|
|
|
|
def destroy
|
|
@follow = Follow.find(params[:id])
|
|
@follow.destroy!
|
|
flash.now[:notice] = t("shared.followable.#{followable_translation_key(@follow.followable)}.destroy.notice")
|
|
render :refresh_follow_button
|
|
end
|
|
|
|
private
|
|
|
|
def follow_params
|
|
params.permit(:followable_type, :followable_id)
|
|
end
|
|
|
|
def followable_translation_key(followable)
|
|
followable.class.name.parameterize(separator: "_")
|
|
end
|
|
end
|