filter workflow params

2026-06-14 03:30:14 +00:00 · 2025-03-01 21:27:22 +01:00
parent 6eac5926eb
commit 02c0481b3d
1 changed files with 7 additions and 1 deletions
@@ -57,7 +57,7 @@ class WorkflowsController < ApplicationController
  def update
    call = Workflows::BulkUpdateService
           .new(role: @role, type: @type)
-           .call(params["status"])
+           .call(permitted_status_params)

    if call.success?
      flash[:notice] = I18n.t(:notice_successful_update)
@@ -148,4 +148,10 @@ class WorkflowsController < ApplicationController
      roles
    end
  end
+
+  def permitted_status_params
+    params["status"]
+      .to_unsafe_h
+      .select { |key, value| /\A\d+\z/.match?(key) && /\A\d+\z/.match?(value) }
+  end
 end