From bddb589fa3198f6acf36bcb7638a91770430aa19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Mizi=C5=84ski?= <kuba@sology.eu>
Date: Fri, 12 Jan 2018 08:35:50 +0100
Subject: [PATCH 1/5] Fix sanitize_params method

---
 app/helpers/smart_listing/helper.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/app/helpers/smart_listing/helper.rb b/app/helpers/smart_listing/helper.rb
index f437b49..1f3d0d4 100644
--- a/app/helpers/smart_listing/helper.rb
+++ b/app/helpers/smart_listing/helper.rb
@@ -181,7 +181,10 @@ def max_count?
       private
 
       def sanitize_params params
-        params = params.permit! if params.respond_to?(:permit!)
+        allowed_parameters = @smart_listing.options[:param_names].values
+        sort_key = {sort: params["#{@smart_listing.name}_smart_listing"][:sort].keys[0]}
+        allowed_parameters << sort_key if sort_key
+        params = params.permit("#{@smart_listing.name}_smart_listing": allowed_parameters)
         params.merge(UNSAFE_PARAMS)
       end
 

From aa4792cd01a7effeba7fa494508e82f5dc2251e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Mizi=C5=84ski?= <kuba@sology.eu>
Date: Wed, 24 Jan 2018 13:06:23 +0100
Subject: [PATCH 2/5] Fix strong params issue

---
 README.md                           |  3 ++-
 app/helpers/smart_listing/helper.rb | 12 ++----------
 lib/smart_listing.rb                | 12 ++++++++++--
 3 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index dcfba79..8274469 100644
--- a/README.md
+++ b/README.md
@@ -238,8 +238,9 @@ When form field changes its value, form is submitted and request is made. This n
 ```ruby
 users_scope = User.active.joins(:stats)
 users_scope = users_scope.like(params[:filter]) if params[:filter]
-@users = smart_listing_create :users, users_scope, partial: "users/listing"
+@users = smart_listing_create :users, users_scope, partial: "users/listing", custom_params: [:filter]
 ```
+__smart_listing >= x.x.x__: Important notice: above that version of smart_listing remember to pass __custom_params__ option to smart_listing_create method. Then, your __custom_params__ are permitted to satisfy the strong parameters.
 
 Then, JS view is rendered and your SmartListing updated. That's it!
 
diff --git a/app/helpers/smart_listing/helper.rb b/app/helpers/smart_listing/helper.rb
index 1f3d0d4..5089c49 100644
--- a/app/helpers/smart_listing/helper.rb
+++ b/app/helpers/smart_listing/helper.rb
@@ -78,7 +78,7 @@ def pagination_per_page_links options = {}
 
       def pagination_per_page_link page
         if @smart_listing.per_page.to_i != page
-          url = @template.url_for(sanitize_params(@template.params.merge(@smart_listing.all_params(:per_page => page, :page => 1))))
+          url = @template.url_for(@smart_listing.params.merge(@smart_listing.all_params(:per_page => page, :page => 1)))
         end
 
         locals = {
@@ -100,7 +100,7 @@ def sortable title, attribute, options = {}
 
         locals = {
           :order => @smart_listing.sort_order(attribute),
-          :url => @template.url_for(sanitize_params(@template.params.merge(@smart_listing.all_params(:sort => sort_params)))),
+          :url => @template.url_for(@smart_listing.params.merge(@smart_listing.all_params(:sort => sort_params))),
           :container_classes => [@template.smart_listing_config.classes(:sortable)],
           :attribute => attribute,
           :title => title
@@ -180,14 +180,6 @@ def max_count?
 
       private
 
-      def sanitize_params params
-        allowed_parameters = @smart_listing.options[:param_names].values
-        sort_key = {sort: params["#{@smart_listing.name}_smart_listing"][:sort].keys[0]}
-        allowed_parameters << sort_key if sort_key
-        params = params.permit("#{@smart_listing.name}_smart_listing": allowed_parameters)
-        params.merge(UNSAFE_PARAMS)
-      end
-
       def default_locals
         {:smart_listing => @smart_listing, :builder => self}
       end
diff --git a/lib/smart_listing.rb b/lib/smart_listing.rb
index c7360f0..77e599a 100644
--- a/lib/smart_listing.rb
+++ b/lib/smart_listing.rb
@@ -21,7 +21,9 @@ def page_param(page)
 
 module SmartListing
   class Base
-    attr_reader :name, :collection, :options, :per_page, :sort, :page, :partial, :count
+    attr_reader :name, :collection, :options, :per_page, :sort, :page, :partial, :count, :params
+    # Params that should not be visible in pagination links (pages, per-page, sorting, etc.)
+    UNSAFE_PARAMS = {:authenticity_token => nil, :utf8 => nil}
 
     def initialize name, collection, options = {}
       @name = name
@@ -45,7 +47,13 @@ def initialize name, collection, options = {}
     end
 
     def setup params, cookies
-      @params = params
+      if params.respond_to?(:permit)
+        sort_key = params["#{@name}_smart_listing"].try(:[], :sort).try(:keys).try(:[], 0)
+        custom_params = @options[:custom_params]
+        @params = params.permit(:controller, :action, custom_params, "#{name}_smart_listing": [options[:param_names][:page], options[:param_names][:per_page], { "#{options[:param_names][:sort]}": sort_key }])
+      else
+        @params = params.merge(UNSAFE_PARAMS)
+      end
 
       @page = get_param :page
       @per_page = !get_param(:per_page) || get_param(:per_page).empty? ? (@options[:memorize_per_page] && get_param(:per_page, cookies).to_i > 0 ? get_param(:per_page, cookies).to_i : page_sizes.first) : get_param(:per_page).to_i

From 413cb7d4e74584b9586b70b262e689a894698cda Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Mizi=C5=84ski?= <kuba@sology.eu>
Date: Tue, 30 Jan 2018 15:20:29 +0100
Subject: [PATCH 3/5] Dealing with Strong Params in Kaminari's way

---
 app/helpers/smart_listing/helper.rb |  4 +---
 lib/smart_listing.rb                | 13 +++++--------
 2 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/app/helpers/smart_listing/helper.rb b/app/helpers/smart_listing/helper.rb
index 5089c49..a6b833b 100644
--- a/app/helpers/smart_listing/helper.rb
+++ b/app/helpers/smart_listing/helper.rb
@@ -33,8 +33,6 @@ def _prefixes
     end
 
     class Builder
-      # Params that should not be visible in pagination links (pages, per-page, sorting, etc.)
-      UNSAFE_PARAMS = {:authenticity_token => nil, :utf8 => nil}
 
       class_attribute :smart_listing_helpers
 
@@ -48,7 +46,7 @@ def name
 
       def paginate options = {}
         if @smart_listing.collection.respond_to? :current_page
-          @template.paginate @smart_listing.collection, {:remote => @smart_listing.remote?, :param_name => @smart_listing.param_name(:page), :params => UNSAFE_PARAMS}.merge(@smart_listing.kaminari_options)
+          @template.paginate @smart_listing.collection, {:remote => @smart_listing.remote?, :param_name => @smart_listing.param_name(:page)}.merge(@smart_listing.kaminari_options)
         end
       end
 
diff --git a/lib/smart_listing.rb b/lib/smart_listing.rb
index 77e599a..a2c4e5f 100644
--- a/lib/smart_listing.rb
+++ b/lib/smart_listing.rb
@@ -23,7 +23,7 @@ module SmartListing
   class Base
     attr_reader :name, :collection, :options, :per_page, :sort, :page, :partial, :count, :params
     # Params that should not be visible in pagination links (pages, per-page, sorting, etc.)
-    UNSAFE_PARAMS = {:authenticity_token => nil, :utf8 => nil}
+    UNSAFE_PARAMS = [:authenticity_token, :commit, :utf8, :_method, :script_name].freeze
 
     def initialize name, collection, options = {}
       @name = name
@@ -47,13 +47,10 @@ def initialize name, collection, options = {}
     end
 
     def setup params, cookies
-      if params.respond_to?(:permit)
-        sort_key = params["#{@name}_smart_listing"].try(:[], :sort).try(:keys).try(:[], 0)
-        custom_params = @options[:custom_params]
-        @params = params.permit(:controller, :action, custom_params, "#{name}_smart_listing": [options[:param_names][:page], options[:param_names][:per_page], { "#{options[:param_names][:sort]}": sort_key }])
-      else
-        @params = params.merge(UNSAFE_PARAMS)
-      end
+      @params = params
+      @params = @params.to_unsafe_h if @params.respond_to?(:to_unsafe_h)
+      @params = @params.with_indifferent_access
+      @params.except!(*UNSAFE_PARAMS)
 
       @page = get_param :page
       @per_page = !get_param(:per_page) || get_param(:per_page).empty? ? (@options[:memorize_per_page] && get_param(:per_page, cookies).to_i > 0 ? get_param(:per_page, cookies).to_i : page_sizes.first) : get_param(:per_page).to_i

From 98b0eab8078749afe4e35a770d69c09610fb9dab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Mizi=C5=84ski?= <kuba@sology.eu>
Date: Wed, 21 Feb 2018 07:40:52 +0100
Subject: [PATCH 4/5] Correct the Readme file

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8274469..3e87fed 100644
--- a/README.md
+++ b/README.md
@@ -238,7 +238,7 @@ When form field changes its value, form is submitted and request is made. This n
 ```ruby
 users_scope = User.active.joins(:stats)
 users_scope = users_scope.like(params[:filter]) if params[:filter]
-@users = smart_listing_create :users, users_scope, partial: "users/listing", custom_params: [:filter]
+@users = smart_listing_create :users, users_scope, partial: "users/listing"
 ```
 __smart_listing >= x.x.x__: Important notice: above that version of smart_listing remember to pass __custom_params__ option to smart_listing_create method. Then, your __custom_params__ are permitted to satisfy the strong parameters.
 

From c37e6a447456e358e03ec6822abc1e676e0cc945 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Mizi=C5=84ski?= <kuba@sology.eu>
Date: Wed, 21 Feb 2018 13:46:09 +0100
Subject: [PATCH 5/5] Correct the Readme file

---
 README.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/README.md b/README.md
index 3e87fed..dcfba79 100644
--- a/README.md
+++ b/README.md
@@ -240,7 +240,6 @@ users_scope = User.active.joins(:stats)
 users_scope = users_scope.like(params[:filter]) if params[:filter]
 @users = smart_listing_create :users, users_scope, partial: "users/listing"
 ```
-__smart_listing >= x.x.x__: Important notice: above that version of smart_listing remember to pass __custom_params__ option to smart_listing_create method. Then, your __custom_params__ are permitted to satisfy the strong parameters.
 
 Then, JS view is rendered and your SmartListing updated. That's it!