Class: RuboCop::Cop::DevDoc::Route::ResourcesRequireOnly
- Inherits:
-
Base
- Object
- Base
- RuboCop::Cop::DevDoc::Route::ResourcesRequireOnly
- Defined in:
- lib/rubocop/cop/dev_doc/route/resources_require_only.rb
Overview
Always use only: for resources / resource in routes.rb.
Rationale
When defining routes in routes.rb, it is important to explicitly
specify the desired actions using the only option. This helps
prevent accidentally exposing actions that should not be accessible
— leaving the default opens the full RESTful set, which often
exposes routes the application has no controller action for, or
routes that probably should be locked down.
only: is preferred over except: because it is explicit about
what is exposed. except: exposes everything not in the list,
which is easier to misread when the action set changes.
Set RequireOnly: false to accept both only: and except:.
✔️
resources :job_applications, only: [:index, :new, :create]Constant Summary collapse
- MSG =
'Specify `only:` or `except:` for `%<method>s :%<name>s` to avoid exposing unintended actions.'.freeze
- MSG_REQUIRE_ONLY =
'Specify `only:` for `%<method>s :%<name>s` ' \ '(`except:` is allowed only with `RequireOnly: false`).'.freeze
- RESTRICT_ON_SEND =
%i[resources resource].freeze
Instance Method Summary collapse
Instance Method Details
#on_send(node) ⇒ Object
45 46 47 48 49 50 51 52 53 54 55 |
# File 'lib/rubocop/cop/dev_doc/route/resources_require_only.rb', line 45 def on_send(node) has_only = key_present?(node, :only) has_except = key_present?(node, :except) return if has_only return if has_except && !require_only? name = node.first_argument&.value || '?' msg = has_except && require_only? ? MSG_REQUIRE_ONLY : MSG add_offense(node.loc.selector, message: format(msg, method: node.method_name, name: name)) end |