From 26764d111a6a67b2ca09dd0e871a170d584fff5d Mon Sep 17 00:00:00 2001
From: Lodewiges <jamestreeg@gmail.com>
Date: Tue, 13 Jan 2026 01:02:18 +0100
Subject: [PATCH 1/3] Intial commit

---
 app/controllers/activities_controller.rb       | 12 ++++++++----
 app/controllers/credit_mutations_controller.rb |  6 +++---
 app/controllers/invoices_controller.rb         |  6 +++---
 app/controllers/orders_controller.rb           | 13 ++++++-------
 app/controllers/price_lists_controller.rb      |  8 ++++----
 app/controllers/products_controller.rb         | 10 ++++------
 app/controllers/sofia_accounts_controller.rb   |  6 +++---
 app/controllers/users_controller.rb            | 11 +++++------
 app/policies/activity_policy.rb                |  8 ++++++++
 app/policies/application_policy.rb             |  4 ++++
 app/policies/credit_mutation_policy.rb         |  4 ++++
 app/policies/invoice_policy.rb                 |  7 +++++++
 app/policies/order_policy.rb                   | 12 ++++++++++++
 app/policies/price_list_policy.rb              |  4 ++++
 app/policies/product_policy.rb                 |  7 +++++++
 app/policies/sofia_account_policy.rb           |  4 ++++
 app/policies/user_policy.rb                    | 14 ++++++++++++++
 17 files changed, 100 insertions(+), 36 deletions(-)

diff --git a/app/controllers/activities_controller.rb b/app/controllers/activities_controller.rb
index 6fa3c8684..338940fb5 100644
--- a/app/controllers/activities_controller.rb
+++ b/app/controllers/activities_controller.rb
@@ -45,7 +45,7 @@ def show # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
   end
 
   def create
-    @activity = Activity.new(permitted_attributes.merge(created_by: current_user))
+    @activity = Activity.new(activity_params.merge(created_by: current_user))
     authorize @activity
 
     if @activity.save
@@ -61,7 +61,7 @@ def update
     @activity = Activity.find(params[:id])
     authorize @activity
 
-    if @activity.update(params.require(:activity).permit(%i[title]))
+    if @activity.update(activity_params_for_update)
       flash[:success] = 'Activiteit hernoemd'
     else
       flash[:error] = "Activiteit hernoemen mislukt; #{@activity.errors.full_messages.join(', ')}"
@@ -177,7 +177,11 @@ def sorted_product_price(activity)
     activity.price_list.product_price.sort_by { |p| p.product.id }
   end
 
-  def permitted_attributes
-    params.require(:activity).permit(%i[title start_time end_time price_list_id])
+  def activity_params
+    params.require(:activity).permit(policy(Activity).permitted_attributes)
+  end
+
+  def activity_params_for_update
+    params.require(:activity).permit(policy(@activity).permitted_attributes_for_update)
   end
 end
diff --git a/app/controllers/credit_mutations_controller.rb b/app/controllers/credit_mutations_controller.rb
index 13d0f7d94..c0abd9a41 100644
--- a/app/controllers/credit_mutations_controller.rb
+++ b/app/controllers/credit_mutations_controller.rb
@@ -14,7 +14,7 @@ def index
   end
 
   def create # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
-    @mutation = CreditMutation.new(permitted_attributes.merge(created_by: current_user))
+    @mutation = CreditMutation.new(credit_mutation_params.merge(created_by: current_user))
     authorize @mutation
 
     respond_to do |format|
@@ -40,7 +40,7 @@ def model_includes
     %i[user activity created_by]
   end
 
-  def permitted_attributes
-    params.require(:credit_mutation).permit(%i[description amount user_id activity_id])
+  def credit_mutation_params
+    params.require(:credit_mutation).permit(policy(CreditMutation).permitted_attributes)
   end
 end
diff --git a/app/controllers/invoices_controller.rb b/app/controllers/invoices_controller.rb
index b74ec4d28..a549fd9bc 100644
--- a/app/controllers/invoices_controller.rb
+++ b/app/controllers/invoices_controller.rb
@@ -27,7 +27,7 @@ def show
   end
 
   def create
-    attributes = remove_empty(permitted_attributes.to_h)
+    attributes = remove_empty(invoice_params.to_h)
     @invoice = Invoice.new(attributes)
     authorize @invoice
 
@@ -80,7 +80,7 @@ def invoice
     @invoice = Invoice.find_by!(token: params[:id])
   end
 
-  def permitted_attributes
-    params.require(:invoice).permit(%i[user_id activity_id name_override email_override rows], rows_attributes: %i[name amount price])
+  def invoice_params
+    params.require(:invoice).permit(policy(Invoice).permitted_attributes)
   end
 end
diff --git a/app/controllers/orders_controller.rb b/app/controllers/orders_controller.rb
index 29ef219bf..830b4ae8d 100644
--- a/app/controllers/orders_controller.rb
+++ b/app/controllers/orders_controller.rb
@@ -16,7 +16,7 @@ def index
   end
 
   def create # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
-    @order = Order.new(permitted_attributes.merge(created_by: current_user))
+    @order = Order.new(order_params.merge(created_by: current_user))
     authorize @order
 
     current_credit = @order.user&.credit
@@ -43,7 +43,7 @@ def update
 
     authorize @order
 
-    if @order.update(permitted_attributes_on_update)
+    if @order.update(order_params_for_update)
       render json: @order.to_json(proper_json)
     else
       render json: @order.errors, status: :unprocessable_content
@@ -83,13 +83,12 @@ def send_insufficient_credit_mail?(user, old_credit)
     user.provider.in?(%w[amber_oauth2 sofia_account]) && user.credit.negative? && old_credit.positive?
   end
 
-  def permitted_attributes
-    params.require(:order).permit(%i[user_id paid_with_cash paid_with_pin activity_id],
-                                  order_rows_attributes: %i[id product_id product_count])
+  def order_params
+    params.require(:order).permit(policy(Order).permitted_attributes_for_create)
   end
 
-  def permitted_attributes_on_update
-    params.require(:order).permit(:id, order_rows_attributes: %i[id product_count])
+  def order_params_for_update
+    params.require(:order).permit(policy(@order).permitted_attributes_for_update)
   end
 
   def proper_json
diff --git a/app/controllers/price_lists_controller.rb b/app/controllers/price_lists_controller.rb
index 96aa43f2a..cf2f2d9d0 100644
--- a/app/controllers/price_lists_controller.rb
+++ b/app/controllers/price_lists_controller.rb
@@ -21,7 +21,7 @@ def index
   end
 
   def create
-    @price_list = PriceList.new(permitted_attributes)
+    @price_list = PriceList.new(price_list_params)
     authorize @price_list
 
     if @price_list.save
@@ -36,7 +36,7 @@ def update
     @price_list = PriceList.find(params[:id])
     authorize @price_list
 
-    if @price_list.update(permitted_attributes)
+    if @price_list.update(price_list_params)
       flash[:success] = 'Prijslijst opgeslagen'
     else
       flash[:error] = "Prijslijst wijzigen mislukt; #{@price_list.errors.full_messages.join(', ')}"
@@ -76,7 +76,7 @@ def unarchive
 
   private
 
-  def permitted_attributes
-    params.require(:price_list).permit(:name)
+  def price_list_params
+    params.require(:price_list).permit(policy(PriceList).permitted_attributes)
   end
 end
diff --git a/app/controllers/products_controller.rb b/app/controllers/products_controller.rb
index 0457dbd68..332224d9b 100644
--- a/app/controllers/products_controller.rb
+++ b/app/controllers/products_controller.rb
@@ -5,7 +5,7 @@ class ProductsController < ApplicationController
   after_action :verify_authorized
 
   def create
-    @product = Product.new(permitted_attributes)
+    @product = Product.new(product_params)
     authorize @product
 
     if @product.save
@@ -18,7 +18,7 @@ def create
   def update
     authorize @product
 
-    if @product.update(permitted_attributes)
+    if @product.update(product_params)
       render json: @product, include: json_includes, except: json_exludes, methods: :t_category
     else
       render json: @product.errors, status: :unprocessable_content
@@ -31,10 +31,8 @@ def set_model
     @product = Product.find(params[:id])
   end
 
-  def permitted_attributes
-    params.require(:product)
-          .permit(%i[name category color requires_age id],
-                  product_prices_attributes: %i[id product_id price_list_id price _destroy])
+  def product_params
+    params.require(:product).permit(policy(Product).permitted_attributes)
   end
 
   def json_includes
diff --git a/app/controllers/sofia_accounts_controller.rb b/app/controllers/sofia_accounts_controller.rb
index c38ab988d..ec451239f 100644
--- a/app/controllers/sofia_accounts_controller.rb
+++ b/app/controllers/sofia_accounts_controller.rb
@@ -15,7 +15,7 @@ def create # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
     user = User.find_by(id: user_id)
     validate_user(user)
 
-    sofia_account = SofiaAccount.new(permitted_attributes.merge(user_id:))
+    sofia_account = SofiaAccount.new(sofia_account_params.merge(user_id:))
     raise normalize_error_messages(sofia_account.errors.full_messages) unless sofia_account.save
 
     update_user_after_creation(user, sofia_account)
@@ -256,7 +256,7 @@ def update_user_after_creation(user, sofia_account) # rubocop:disable Metrics/Ab
     raise normalize_error_messages(user.errors.full_messages)
   end
 
-  def permitted_attributes
-    params.require(:sofia_account).permit(%i[username password password_confirmation])
+  def sofia_account_params
+    params.require(:sofia_account).permit(policy(SofiaAccount).permitted_attributes)
   end
 end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 603f168c6..24c074e90 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -72,7 +72,7 @@ def json
   end
 
   def create
-    @user = User.new(permitted_attributes)
+    @user = User.new(user_params)
     authorize @user
 
     if @user.save
@@ -88,7 +88,7 @@ def update
     @user = User.find(params[:id])
     authorize @user
 
-    if @user.update(params.require(:user).permit(%i[name email deactivated]))
+    if @user.update(params.require(:user).permit(policy(@user).permitted_attributes_for_update))
       flash[:success] = 'Gebruiker geupdate'
     else
       flash[:error] = "Gebruiker updaten mislukt; #{@user.errors.full_messages.join(', ')}"
@@ -140,8 +140,7 @@ def update_with_sofia_account # rubocop:disable Metrics/AbcSize, Metrics/MethodL
     end
     authorize @sofia_account
 
-    if @user.update(params.require(:user).permit(%i[email sub_provider] + (current_user.treasurer? ? %i[name deactivated] : []),
-                                                 sofia_account_attributes: %i[id username]))
+    if @user.update(params.require(:user).permit(policy(@user).permitted_attributes_for_update_with_sofia_account))
       flash[:success] = 'Gegevens gewijzigd'
     else
       flash[:error] = "Gegevens wijzigen mislukt; #{@user.errors.full_messages.join(', ')}"
@@ -166,7 +165,7 @@ def find_or_create_user(user_json) # rubocop:disable Metrics/AbcSize, Metrics/Me
     u.save
   end
 
-  def permitted_attributes
-    params.require(:user).permit(%w[name email provider sub_provider])
+  def user_params
+    params.require(:user).permit(policy(User).permitted_attributes)
   end
 end
diff --git a/app/policies/activity_policy.rb b/app/policies/activity_policy.rb
index c92b4b72b..2847bd0ff 100644
--- a/app/policies/activity_policy.rb
+++ b/app/policies/activity_policy.rb
@@ -48,4 +48,12 @@ def orders?
   def credit_mutations?
     user&.treasurer?
   end
+
+  def permitted_attributes
+    %i[title start_time end_time price_list_id]
+  end
+
+  def permitted_attributes_for_update
+    %i[title]
+  end
 end
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
index 91965a362..f17574d36 100644
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@@ -38,6 +38,10 @@ def scope
     Pundit.policy_scope!(user, record.class)
   end
 
+  def permitted_attributes
+    []
+  end
+
   class Scope
     attr_reader :user, :scope
 
diff --git a/app/policies/credit_mutation_policy.rb b/app/policies/credit_mutation_policy.rb
index 60ab794dc..fbcc3a665 100644
--- a/app/policies/credit_mutation_policy.rb
+++ b/app/policies/credit_mutation_policy.rb
@@ -16,4 +16,8 @@ def index?
   def create?
     user&.treasurer? || (user&.main_bartender? && record.activity.present?)
   end
+
+  def permitted_attributes
+    %i[description amount user_id activity_id]
+  end
 end
diff --git a/app/policies/invoice_policy.rb b/app/policies/invoice_policy.rb
index bbc1f1f13..4dcaa34c4 100644
--- a/app/policies/invoice_policy.rb
+++ b/app/policies/invoice_policy.rb
@@ -10,4 +10,11 @@ def send_invoice?
   def pay?
     show?
   end
+
+  def permitted_attributes
+    [
+      :user_id, :activity_id, :name_override, :email_override, :rows,
+      { rows_attributes: %i[name amount price] }
+    ]
+  end
 end
diff --git a/app/policies/order_policy.rb b/app/policies/order_policy.rb
index 31b5db26d..cf959fc4d 100644
--- a/app/policies/order_policy.rb
+++ b/app/policies/order_policy.rb
@@ -16,4 +16,16 @@ def index?
   def create?
     user&.treasurer? || user&.renting_manager? || user&.main_bartender?
   end
+
+  def permitted_attributes
+    %i[user_id paid_with_cash paid_with_pin activity_id]
+  end
+
+  def permitted_attributes_for_create
+    permitted_attributes + [order_rows_attributes: %i[id product_id product_count]]
+  end
+
+  def permitted_attributes_for_update
+    [:id, order_rows_attributes: %i[id product_count]]
+  end
 end
diff --git a/app/policies/price_list_policy.rb b/app/policies/price_list_policy.rb
index 545464094..cb74229de 100644
--- a/app/policies/price_list_policy.rb
+++ b/app/policies/price_list_policy.rb
@@ -36,4 +36,8 @@ def unarchive?
   def search?
     index?
   end
+
+  def permitted_attributes
+    %i[name]
+  end
 end
diff --git a/app/policies/product_policy.rb b/app/policies/product_policy.rb
index 185f9db42..3441bcbd2 100644
--- a/app/policies/product_policy.rb
+++ b/app/policies/product_policy.rb
@@ -6,4 +6,11 @@ def create?
   def update?
     create?
   end
+
+  def permitted_attributes
+    [
+      :name, :category, :color, :requires_age, :id,
+      { product_prices_attributes: %i[id product_id price_list_id price _destroy] }
+    ]
+  end
 end
diff --git a/app/policies/sofia_account_policy.rb b/app/policies/sofia_account_policy.rb
index 73172e93e..95fe15bf4 100644
--- a/app/policies/sofia_account_policy.rb
+++ b/app/policies/sofia_account_policy.rb
@@ -18,4 +18,8 @@ def enable_otp?
   def disable_otp?
     update?
   end
+
+  def permitted_attributes
+    %i[username password password_confirmation]
+  end
 end
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index 2cb35440e..8055d7b45 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -22,4 +22,18 @@ def activities?
   def update_with_sofia_account?
     record == user
   end
+
+  def permitted_attributes
+    %i[name email provider sub_provider]
+  end
+
+  def permitted_attributes_for_update
+    %i[name email deactivated]
+  end
+
+  def permitted_attributes_for_update_with_sofia_account
+    base = %i[email sub_provider]
+    base += %i[name deactivated] if user&.treasurer?
+    base + [{ sofia_account_attributes: %i[id username] }]
+  end
 end

From 8208c81de8cb80c78a78e5cb1c82bf0595495f7e Mon Sep 17 00:00:00 2001
From: Lodewiges <jamestreeg@gmail.com>
Date: Tue, 13 Jan 2026 01:41:17 +0100
Subject: [PATCH 2/3] implement suggestions

---
 app/controllers/activities_controller.rb | 2 +-
 app/controllers/invoices_controller.rb   | 2 +-
 app/controllers/orders_controller.rb     | 2 +-
 app/controllers/products_controller.rb   | 2 +-
 app/controllers/users_controller.rb      | 2 +-
 app/policies/invoice_policy.rb           | 2 +-
 app/policies/product_policy.rb           | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/app/controllers/activities_controller.rb b/app/controllers/activities_controller.rb
index 338940fb5..b8cb77909 100644
--- a/app/controllers/activities_controller.rb
+++ b/app/controllers/activities_controller.rb
@@ -178,7 +178,7 @@ def sorted_product_price(activity)
   end
 
   def activity_params
-    params.require(:activity).permit(policy(Activity).permitted_attributes)
+    params.require(:activity).permit(policy(Activity.new).permitted_attributes)
   end
 
   def activity_params_for_update
diff --git a/app/controllers/invoices_controller.rb b/app/controllers/invoices_controller.rb
index a549fd9bc..ebc4ac22a 100644
--- a/app/controllers/invoices_controller.rb
+++ b/app/controllers/invoices_controller.rb
@@ -81,6 +81,6 @@ def invoice
   end
 
   def invoice_params
-    params.require(:invoice).permit(policy(Invoice).permitted_attributes)
+    params.require(:invoice).permit(policy(Invoice.new).permitted_attributes)
   end
 end
diff --git a/app/controllers/orders_controller.rb b/app/controllers/orders_controller.rb
index 830b4ae8d..3cf32b9b1 100644
--- a/app/controllers/orders_controller.rb
+++ b/app/controllers/orders_controller.rb
@@ -84,7 +84,7 @@ def send_insufficient_credit_mail?(user, old_credit)
   end
 
   def order_params
-    params.require(:order).permit(policy(Order).permitted_attributes_for_create)
+    params.require(:order).permit(policy(Order.new).permitted_attributes_for_create)
   end
 
   def order_params_for_update
diff --git a/app/controllers/products_controller.rb b/app/controllers/products_controller.rb
index 332224d9b..fa8191060 100644
--- a/app/controllers/products_controller.rb
+++ b/app/controllers/products_controller.rb
@@ -32,7 +32,7 @@ def set_model
   end
 
   def product_params
-    params.require(:product).permit(policy(Product).permitted_attributes)
+    params.require(:product).permit(policy(Product.new).permitted_attributes)
   end
 
   def json_includes
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 24c074e90..f87289967 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -166,6 +166,6 @@ def find_or_create_user(user_json) # rubocop:disable Metrics/AbcSize, Metrics/Me
   end
 
   def user_params
-    params.require(:user).permit(policy(User).permitted_attributes)
+    params.require(:user).permit(policy(User.new).permitted_attributes)
   end
 end
diff --git a/app/policies/invoice_policy.rb b/app/policies/invoice_policy.rb
index 4dcaa34c4..1b47abcd5 100644
--- a/app/policies/invoice_policy.rb
+++ b/app/policies/invoice_policy.rb
@@ -13,7 +13,7 @@ def pay?
 
   def permitted_attributes
     [
-      :user_id, :activity_id, :name_override, :email_override, :rows,
+      :user_id, :activity_id, :name_override, :email_override,
       { rows_attributes: %i[name amount price] }
     ]
   end
diff --git a/app/policies/product_policy.rb b/app/policies/product_policy.rb
index 3441bcbd2..6d6319afd 100644
--- a/app/policies/product_policy.rb
+++ b/app/policies/product_policy.rb
@@ -9,7 +9,7 @@ def update?
 
   def permitted_attributes
     [
-      :name, :category, :color, :requires_age, :id,
+      :name, :category, :color, :requires_age,
       { product_prices_attributes: %i[id product_id price_list_id price _destroy] }
     ]
   end

From 5af5889373a79b40806de862567a0cb27e73103a Mon Sep 17 00:00:00 2001
From: Lodewiges <jamestreeg@gmail.com>
Date: Tue, 13 Jan 2026 01:50:35 +0100
Subject: [PATCH 3/3] fix lint

---
 app/controllers/users_controller.rb | 7 ++++++-
 app/policies/order_policy.rb        | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index f87289967..5ac4ad8f7 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -88,7 +88,7 @@ def update
     @user = User.find(params[:id])
     authorize @user
 
-    if @user.update(params.require(:user).permit(policy(@user).permitted_attributes_for_update))
+    if update_user
       flash[:success] = 'Gebruiker geupdate'
     else
       flash[:error] = "Gebruiker updaten mislukt; #{@user.errors.full_messages.join(', ')}"
@@ -151,6 +151,11 @@ def update_with_sofia_account # rubocop:disable Metrics/AbcSize, Metrics/MethodL
 
   private
 
+  def update_user
+    permitted_params = params.require(:user).permit(policy(@user).permitted_attributes_for_update)
+    @user.update(permitted_params)
+  end
+
   def find_or_create_user(user_json) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
     fields = user_json['attributes']
     u = User.find_or_initialize_by(uid: user_json['id'])
diff --git a/app/policies/order_policy.rb b/app/policies/order_policy.rb
index cf959fc4d..5b5af8d96 100644
--- a/app/policies/order_policy.rb
+++ b/app/policies/order_policy.rb
@@ -26,6 +26,6 @@ def permitted_attributes_for_create
   end
 
   def permitted_attributes_for_update
-    [:id, order_rows_attributes: %i[id product_count]]
+    [:id, { order_rows_attributes: %i[id product_count] }]
   end
 end