From da67dca14b926f09a64a2dc40777105393f572cb Mon Sep 17 00:00:00 2001
From: Robert Schilling <rschilling@student.tugraz.at>
Date: Thu, 23 Feb 2017 14:21:03 +0100
Subject: Use grape to validate parameters in the members API

---
 lib/api/members.rb    | 7 +++----
 lib/api/v3/members.rb | 7 +++----
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/lib/api/members.rb b/lib/api/members.rb
index d1d78775c6d..8360c007005 100644
--- a/lib/api/members.rb
+++ b/lib/api/members.rb
@@ -79,13 +79,12 @@ module API
           optional :expires_at, type: DateTime, desc: 'Date string in the format YEAR-MONTH-DAY'
         end
         put ":id/members/:user_id" do
-          source = find_source(source_type, params[:id])
+          source = find_source(source_type, params.delete(:id))
           authorize_admin_source!(source_type, source)
 
-          member = source.members.find_by!(user_id: params[:user_id])
-          attrs = attributes_for_keys [:access_level, :expires_at]
+          member = source.members.find_by!(user_id: params.delete(:user_id))
 
-          if member.update_attributes(attrs)
+          if member.update_attributes(declared_params(include_missing: false))
             present member.user, with: Entities::Member, member: member
           else
             # This is to ensure back-compatibility but 400 behavior should be used
diff --git a/lib/api/v3/members.rb b/lib/api/v3/members.rb
index 4e6cb2e3c52..19f276d5484 100644
--- a/lib/api/v3/members.rb
+++ b/lib/api/v3/members.rb
@@ -86,13 +86,12 @@ module API
             optional :expires_at, type: DateTime, desc: 'Date string in the format YEAR-MONTH-DAY'
           end
           put ":id/members/:user_id" do
-            source = find_source(source_type, params[:id])
+            source = find_source(source_type, params.delete(:id))
             authorize_admin_source!(source_type, source)
 
-            member = source.members.find_by!(user_id: params[:user_id])
-            attrs = attributes_for_keys [:access_level, :expires_at]
+            member = source.members.find_by!(user_id: params.delete(:user_id))
 
-            if member.update_attributes(attrs)
+            if member.update_attributes(declared_params(include_missing: false))
               present member.user, with: ::API::Entities::Member, member: member
             else
               # This is to ensure back-compatibility but 400 behavior should be used
-- 
cgit v1.2.1