From 1179de496174494bedcaf859ed9e491d54b31398 Mon Sep 17 00:00:00 2001
From: Muhammad Rafif Elfazri <rafif.elfazri@gmail.com>
Date: Fri, 19 Feb 2021 14:22:43 +0700
Subject: [PATCH] Unallowed update API to update points
---
lib/diskuy_web/controllers/post_controller.ex | 3 ++-
lib/diskuy_web/controllers/thread_controller.ex | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/diskuy_web/controllers/post_controller.ex b/lib/diskuy_web/controllers/post_controller.ex
index c41f03b..76bc663 100644
--- a/lib/diskuy_web/controllers/post_controller.ex
+++ b/lib/diskuy_web/controllers/post_controller.ex
@@ -32,8 +32,9 @@ defmodule DiskuyWeb.PostController do
def update(conn, %{"id" => id, "post" => post_params}) do
current_user = Guardian.Plug.current_resource(conn)
post = Forum.get_post!(id)
+ new_post_params = post_params |> Map.drop(["id", "points", "user_id", "thread_id"])
with {:ok, :authorized} <- Guardian.check_authorized(current_user, post.user_id),
- {:ok, %Post{} = post} <- Forum.update_post(post, post_params) do
+ {:ok, %Post{} = post} <- Forum.update_post(post, new_post_params) do
render(conn, "show.json", post: post)
end
end
diff --git a/lib/diskuy_web/controllers/thread_controller.ex b/lib/diskuy_web/controllers/thread_controller.ex
index ea0bbb2..9ba486f 100644
--- a/lib/diskuy_web/controllers/thread_controller.ex
+++ b/lib/diskuy_web/controllers/thread_controller.ex
@@ -32,8 +32,9 @@ defmodule DiskuyWeb.ThreadController do
def update(conn, %{"id" => id, "thread" => thread_params}) do
current_user = Guardian.Plug.current_resource(conn)
thread = Forum.get_thread!(id)
+ new_thread_params = thread_params |> Map.drop(["id", "points", "user_id", "topic_id"])
with {:ok, :authorized} <- Guardian.check_authorized(current_user, thread.user_id),
- {:ok, %Thread{} = thread} <- Forum.update_thread(thread, thread_params) do
+ {:ok, %Thread{} = thread} <- Forum.update_thread(thread, new_thread_params) do
render(conn, "show.json", thread: thread)
end
end
--
GitLab