Don't allow image_list in create project endpoint

floehopper · floehopper · commit 0148d94fcedf · 2024-04-16T15:36:44.000+01:00
This fixes a problem that was introduced in this commit [1]. The call to `skip_load_resource only: :create` was removed which meant that the call to `load_and_authorize_resource` triggered an attempt to instantiate a `Project` model using the params identified by CanCanCan. This included the `image_list` param which did not exist as an attribute on a `Project` and thus resulted in the following exception: ActiveModel::UnknownAttributeError: unknown attribute 'image_list' for Project. I did initially look at fixing the problem while maintaining the ability to pass the `image_list` into `Project::Create#call`. However, the functionality in `Project::Create#build_project` which loops through the `image_list` was not previously tested and I can't really see that it ever worked. Furthermore, @sra405 has pointed out that we're not currently allowing users to add their own images to a project for safeguarding reasons and so I thought it made more sense to fix the problem by removing support for `image_list` from the create project endpoint for now until we actually need it. /cc @loiswells97 Removing the `image_list` param from the permitted params in `Api::ProjectsController#base_params` should mean it is never included in the params supplied to either CanCanCan's `load_and_authorize_resource` method or to `Project::Create#call`, although it will mean that a warning will appear in the logs. So ideally we'd remove it from the params being supplied by the UI. Note that the images from the projects in the `raspberrypilearning` GitHub organisation [2] are added to a project using a different mechanism and so should not be affected by this change. [1]: 39f45f7
diff --git a/app/controllers/api/projects_controller.rb b/app/controllers/api/projects_controller.rb
@@ -84,7 +84,6 @@ def base_params
         :project_type,
         :locale,
         {
-          image_list: [],
           components: %i[id name extension content index default]
         }
       )
diff --git a/lib/concepts/project/operations/create.rb b/lib/concepts/project/operations/create.rb
@@ -18,13 +18,8 @@ def call(project_hash:)
 
       def build_project(project_hash)
         identifier = PhraseIdentifier.generate
-        new_project = Project.new(project_hash.except(:components, :image_list).merge(identifier:))
+        new_project = Project.new(project_hash.except(:components).merge(identifier:))
         new_project.components.build(project_hash[:components])
-
-        (project_hash[:image_list] || []).each do |image|
-          new_project.images.attach(image.blob)
-        end
-
         new_project
       end
     end
diff --git a/spec/concepts/project/create_spec.rb b/spec/concepts/project/create_spec.rb
@@ -27,7 +27,6 @@
             content: 'print("hello world")',
             default: true
           }],
-          image_list: [],
           user_id:
         }
       end

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,6 @@ def base_params`
`84`	`84`	`:project_type,`
`85`	`85`	`:locale,`
`86`	`86`	`{`
`87`		`- image_list: [],`
`88`	`87`	`components: %i[id name extension content index default]`
`89`	`88`	`}`
`90`	`89`	`)`
Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,6 @@`
`27`	`27`	`content: 'print("hello world")',`
`28`	`28`	`default: true`
`29`	`29`	`}],`
`30`		`- image_list: [],`
`31`	`30`	`user_id:`
`32`	`31`	`}`
`33`	`32`	`end`