From 0e26a496b8197d5c108638aec7ae691e3ef82d06 Mon Sep 17 00:00:00 2001 From: James Fleming Date: Thu, 27 Jun 2013 20:01:14 +0200 Subject: [PATCH] Strong parameters for User Fetch user params instead of require. --- app/controllers/registrations_controller.rb | 6 +++++- app/controllers/users_controller.rb | 11 +++++++++-- app/models/user.rb | 16 +--------------- 3 files changed, 15 insertions(+), 18 deletions(-) diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb index b1fbd635b..c7377f4ed 100644 --- a/app/controllers/registrations_controller.rb +++ b/app/controllers/registrations_controller.rb @@ -9,7 +9,7 @@ class RegistrationsController < Devise::RegistrationsController before_filter -> { @css_framework = :bootstrap }, only: [:new] def create - @user = User.build(params[:user]) + @user = User.build(user_params) @user.process_invite_acceptence(invite) if invite.present? if @user.save @@ -54,4 +54,8 @@ class RegistrationsController < Devise::RegistrationsController end helper_method :invite + + def user_params + params.require(:user).permit(:username, :email, :getting_started, :password, :password_confirmation, :language, :disable_mail, :invitation_service, :invitation_identifier, :show_community_spotlight_in_stream, :auto_follow_back, :auto_follow_back_aspect_id, :remember_me) + end end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 528baa33f..8cb796fe2 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -24,7 +24,7 @@ class UsersController < ApplicationController password_changed = false @user = current_user - if u = params[:user] + if u = user_params u.delete(:password) if u[:password].blank? u.delete(:password_confirmation) if u[:password].blank? and u[:password_confirmation].blank? u.delete(:language) if u[:language].blank? @@ -125,7 +125,8 @@ class UsersController < ApplicationController def getting_started_completed user = current_user - user.update_attributes(:getting_started => false) + user.getting_started = false + user.save redirect_to stream_path end @@ -157,4 +158,10 @@ class UsersController < ApplicationController end redirect_to edit_user_path end + + private + + def user_params + params.fetch(:user).permit(:username, :email, :current_password, :password, :password_confirmation, :language, :disable_mail, :invitation_service, :invitation_identifier, :show_community_spotlight_in_stream, :auto_follow_back, :auto_follow_back_aspect_id, :remember_me, :email_preferences => [:also_commented, :mentioned, :comment_on_post, :private_message, :started_sharing, :liked, :reshared]) + end end diff --git a/app/models/user.rb b/app/models/user.rb index a53bfe488..4c8897c79 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -7,6 +7,7 @@ class User < ActiveRecord::Base include Connecting include Querying include SocialActions + include ActiveModel::ForbiddenAttributesProtection scope :logged_in_since, lambda { |time| where('last_sign_in_at > ?', time) } scope :monthly_actives, lambda { |time = Time.now| logged_in_since(time - 1.month) } @@ -67,21 +68,6 @@ class User < ActiveRecord::Base before_save :guard_unconfirmed_email, :save_person! - attr_accessible :username, - :email, - :getting_started, - :password, - :password_confirmation, - :language, - :disable_mail, - :invitation_service, - :invitation_identifier, - :show_community_spotlight_in_stream, - :auto_follow_back, - :auto_follow_back_aspect_id, - :remember_me - - def self.all_sharing_with_person(person) User.joins(:contacts).where(:contacts => {:person_id => person.id}) end