From d5e44d897ceb78acdd14cbf009942c98a4bd0ac2 Mon Sep 17 00:00:00 2001
From: Anita Graham <anita@joli.com.au>
Date: Sat, 12 Mar 2016 21:40:36 +0800
Subject: [PATCH] Add Permitted Parameters code

---
 ...ection to an extension using PageImages.md | 56 +++++++++++++++++--
 ...n to an extension using PageImages.textile | 54 +++++++++++++++++-
 2 files changed, 103 insertions(+), 7 deletions(-)

diff --git a/doc/guides/4 - Refinery Extensions/9 - Adding an image collection to an extension using PageImages.md b/doc/guides/4 - Refinery Extensions/9 - Adding an image collection to an extension using PageImages.md
index e2a7f95226..6d404029c4 100644
--- a/doc/guides/4 - Refinery Extensions/9 - Adding an image collection to an extension using PageImages.md	
+++ b/doc/guides/4 - Refinery Extensions/9 - Adding an image collection to an extension using PageImages.md	
@@ -1,6 +1,6 @@
 # Adding Multiple Images to your Model
 
-Refinery offers a generator which allows an engine/model to have fields which are single images. It doesn't supply anything out-of-the-box to allow a model to have a collection of images. 
+Refinery offers a generator which allows an engine/model to have fields which are single images. It doesn't supply anything out-of-the-box to allow a model to have a collection of images.
 
 However the extension *Refinerycms-page-images* implements an image collection for the *Refinery::Page* model which can be extended to other models.
 
@@ -10,7 +10,7 @@ However the extension *Refinerycms-page-images* implements an image collection f
 
 When you have completed these steps your model/engine you will be able to add and remove images from an instance of your model using the same tabbed interface used by Refinery::Pages.
 
-In a view you will have access to a collection of images (*@model.images*) or a collection of images with associated captions (*@model.images_with_captions*). 
+In a view you will have access to a collection of images (*@model.images*).
 
 ### Pre-requisites
 
@@ -33,7 +33,7 @@ Refinery::PageImages.configure do |config|
 end
 ````
 
-#####  Add page-images to your model 
+#####  Add page-images to your model
 
 ````Ruby
 #vendor/extensions/shows/app/models/refinery/shows/show.rb
@@ -110,7 +110,7 @@ end
 ````
 
 
-##### Finally modify the admin view
+##### Modify the admin view
 ````Ruby
 # vendor/extensions/shows/app/views/refinery/admin/_form.html.erb
 <%= form_for [refinery, :shows_admin, @show] do |f| -%>
@@ -153,4 +153,52 @@ end
              :delete_title => t('delete', :scope => 'refinery.shows.admin.shows.show'),
              :delete_confirmation => t('message', :scope => 'refinery.admin.delete', :title => @show.title) -%>
 <% end -%>
+````
+
+##### Add strong parameters for the new fields
+
+Part 1. Write a decorator.
+
+````Ruby
+#vendor/extensions/shows/app/decorators/controllers/refinery/admin/shows_controller_decorator.rb
+module RefineryPageImagesShowsControllerDecorator
+    def permitted_show_params
+      # Hand the case where all images have been deleted
+      params[:show][:images_attributes]={} if params[:show][:images_attributes].nil?
+      super <<  [images_attributes: [:id, :caption, :image_page_id]]
+    end
+  end
+
+Refinery::Shows::Admin::ShowsController.send :prepend, RefineryPageImagesShowsControllerDecorator
+````
+
+Part 2. Modify the ShowsController (if required)
+
+Some `ModelsControllers` will require this update. It doesn't change the controller itself, but makes it easier to extend the initial list of permitted fields.
+
+````Ruby
+#vendor/extensions/shows/app/controllers/refinery/shows/admin/shows_controller.rb
+module Refinery
+  module Shows
+    module Admin
+      class ShowsController < ::Refinery::AdminController
+
+        crudify :'refinery/shows/show'
+
+        def show_params
+          params.require(:show).permit(permitted_show_params)
+        end
+
+       # private
+
+        # Only allow a trusted parameter "white list" through.
+        def permitted_show_params
+          [:title, :blurb]
+        end
+
+      end
+    end
+  end
+end
+
 ````
\ No newline at end of file
diff --git a/doc/guides/4 - Refinery Extensions/9 - Adding an image collection to an extension using PageImages.textile b/doc/guides/4 - Refinery Extensions/9 - Adding an image collection to an extension using PageImages.textile
index e6ecd7842c..766a124084 100644
--- a/doc/guides/4 - Refinery Extensions/9 - Adding an image collection to an extension using PageImages.textile	
+++ b/doc/guides/4 - Refinery Extensions/9 - Adding an image collection to an extension using PageImages.textile	
@@ -12,7 +12,7 @@ h2. What you get
 
 When you have completed these steps your model/engine you will be able to add and remove images from an instance of your model using the same tabbed interface used by Refinery::Pages.
 
-In a view you will have access to a collection of images ("@model.images") or a collection of images with associated captions ("@model.images_with_captions"). 
+In a view you will have access to a collection of images ("@model.images").
 
 h3. Pre-requisites
 
@@ -109,7 +109,7 @@ module Refinery
 end
 
 
-h5.  Finally modify the admin view
+h5. Modify the admin view
 
 bc..
 #vendor/extensions/shows/app/views/refinery/admin/_form.html.erb
@@ -152,4 +152,52 @@ bc..
              :continue_editing => false,
              :delete_title => t('delete', :scope => 'refinery.shows.admin.shows.show'),
              :delete_confirmation => t('message', :scope => 'refinery.admin.delete', :title => @show.title) -%>
-<% end -%>
\ No newline at end of file
+<% end -%>
+
+##### Add strong parameters for the new fields
+
+Part 1. Write a decorator.
+
+bc..
+#vendor/extensions/shows/app/decorators/controllers/refinery/admin/shows_controller_decorator.rb
+module RefineryPageImagesShowsControllerDecorator
+    def permitted_show_params
+      # Hand the case where all images have been deleted
+      params[:show][:images_attributes]={} if params[:show][:images_attributes].nil?
+      super <<  [images_attributes: [:id, :caption, :image_page_id]]
+    end
+  end
+
+Refinery::Shows::Admin::ShowsController.send :prepend, RefineryPageImagesShowsControllerDecorator
+
+
+Part 2. Tell the Controller to Permit the new parameters it must handle
+
+Some ModelsControllers will require this update. It doesn't change the controller itself, but makes it easier to extend the initial list of permitted fields. Later versions of Refinery may generate this automatically.
+
+bc..
+#vendor/extensions/shows/app/controllers/refinery/shows/admin/shows_controller.rb
+module Refinery
+  module Shows
+    module Admin
+      class ShowsController < ::Refinery::AdminController
+
+        crudify :'refinery/shows/show'
+
+        def show_params
+          params.require(:show).permit(permitted_show_params)
+        end
+
+       # private
+
+        # Only allow a trusted parameter "white list" through.
+        def permitted_show_params
+          [:title, :blurb]
+        end
+
+      end
+    end
+  end
+end
+
+