app/controllers/apicasso/crud_controller.rb in apicasso-0.6.0 vs app/controllers/apicasso/crud_controller.rb in apicasso-0.6.1

@@ -1,10 +1,12 @@
 # frozen_string_literal: true
 
 module Apicasso
   # Controller to consume read-only data to be used on client's frontend
   class CrudController < Apicasso::ApplicationController
+    prepend_before_action :klasses_allowed
+    before_action :bad_request?
     before_action :set_object, except: %i[index create schema]
     before_action :set_nested_resource, only: %i[nested_index]
     before_action :set_records, only: %i[index]
     include Orderable
     # GET /:resource
@@ -221,8 +223,19 @@
           { many.name.to_s.gsub(/(_attachments)$/, '').to_sym => [] }
         else
           { many.name.to_sym => [] }
         end
       end.compact
+    end
+
+    # Check for SQL injection before requests and
+    # raise a exception when find
+    def bad_request?
+      raise ActionController::BadRequest.new('Bad hacker, stop be bully or I will tell to your mom!') unless sql_injection(resource)
+    end
+
+    # Check for a bad request to be more secure
+    def klasses_allowed
+      raise ActionController::BadRequest.new('Bad hacker, stop be bully or I will tell to your mom!') unless descendants_included?
     end
   end
 end