Closed Mr0grog closed 1 year ago
Thinking about this some more, it might still make sense to allow include_change_from_*
for #show
. We could do this by changing block_params_for_public_users
to take a first argument indicating which methods:
# First argument indicates which methods:
block_params_for_public_users :all, [:bad, :params]
block_params_for_public_users [:index, :sampled], [:other, :bad, :params]
# Or as a hash:
block_params_for_public_users {
all => [:bad, :params],
[:index, :sampled] => [:other, :bad, :params]
}
# Or just provide a method to use with `before_action`:
before_action do
block_params_for_public_users [:bad, :params]
end
before_action(only: [:index, :sampled]) do
block_params_for_public_users [:other, :bad, :params]
end
This now covers all controllers, and therefore fixes #1070.
I also wound up going with a slightly different, more explicit style:
block_params_for_public_users actions: :all,
params: [:source_metadata, :status]
block_params_for_public_users actions: [:index, :sampled],
params: [
:include_change_from_previous,
:include_change_from_earliest
]
Some parameters for the various
/versions
collections cause expensive queries, so they are disallowed for public, non-logged-in usage.Solves part of #1070.