implement strong parameters instead of protected attributes

Author: tygriffin

Gemfile

@@ -10,7 +10,7 @@ gem 'actionpack-xml_parser', '~>1.0.0'
 gem 'actionview-encoded_mail_to', '~>1.0.4'
 gem 'activerecord-session_store', '~>0.0.1'
 gem 'activeresource', '~>4.0.0.beta1'
-gem 'protected_attributes', '~>1.0.1'
+# gem 'protected_attributes', '~>1.0.1'
 gem 'rails-observers', '~>0.1.1'
 gem 'rails-perftest', '~>0.0.2'
 
@@ -30,7 +30,7 @@ gem 'pg'
 
 gem 'figaro' # for handling config via ENV variables
 
-gem 'cancan' # for checking member privileges
+gem 'cancancan', '~> 1.9' # for checking member privileges
 
 gem 'gibbon' # for Mailchimp newsletter subscriptions
 

Gemfile.lock

@@ -79,7 +79,7 @@ GEM
       columnize (~> 0.8)
       debugger-linecache (~> 1.2)
       slop (~> 3.6)
-    cancan (1.6.10)
+    cancancan (1.9.2)
     capybara (2.4.4)
       mime-types (>= 1.16)
       nokogiri (>= 1.3.3)
@@ -223,8 +223,6 @@ GEM
       cliver (~> 0.3.1)
       multi_json (~> 1.0)
       websocket-driver (>= 0.2.0)
-    protected_attributes (1.0.8)
-      activemodel (>= 4.0.1, < 5.0)
     pry (0.10.1)
       coderay (~> 1.1.0)
       method_source (~> 0.8.1)
@@ -356,7 +354,7 @@ DEPENDENCIES
   bootstrap-datepicker-rails
   bundler (>= 1.1.5)
   byebug
-  cancan
+  cancancan (~> 1.9)
   capybara
   capybara-email
   coffee-rails (~> 4.1.0)
@@ -392,7 +390,6 @@ DEPENDENCIES
   omniauth-twitter
   pg
   poltergeist (~> 1.5.1)
-  protected_attributes (~> 1.0.1)
   pry
   rails (= 4.1.7)
   rails-observers (~> 0.1.1)

app/controllers/account_types_controller.rb

@@ -34,7 +34,7 @@ def edit
 
   # POST /account_types
   def create
-    @account_type = AccountType.new(params[:account_type])
+    @account_type = AccountType.new(account_type_params)
 
     respond_to do |format|
       if @account_type.save
@@ -50,7 +50,7 @@ def update
     @account_type = AccountType.find(params[:id])
 
     respond_to do |format|
-      if @account_type.update_attributes(params[:account_type])
+      if @account_type.update(account_type_params)
         format.html { redirect_to @account_type, notice: 'Account type was successfully updated.' }
       else
         format.html { render action: "edit" }
@@ -67,4 +67,10 @@ def destroy
       format.html { redirect_to account_types_url, notice: 'Account type was successfully deleted.' }
     end
   end
+
+  private 
+
+  def account_type_params
+    params.require(:account_type).permit(:is_paid, :is_permanent_paid, :name)
+  end
 end

app/controllers/accounts_controller.rb

@@ -28,12 +28,18 @@ def update
     @account = Account.find(params[:id])
 
     respond_to do |format|
-      if @account.update_attributes(params[:account])
+      if @account.update(params[:account])
         format.html { redirect_to @account, notice: 'Account detail was successfully updated.' }
       else
         format.html { render action: "edit" }
       end
     end
   end
 
+  private
+
+  def account_params
+    params.require(:account).permit(:account_type_id, :member_id, :paid_until)
+  end
+
 end

app/controllers/alternate_names_controller.rb

@@ -44,7 +44,7 @@ def edit
   # POST /alternate_names.json
   def create
     params[:alternate_name][:creator_id] = current_member.id
-    @alternate_name = AlternateName.new(params[:alternate_name])
+    @alternate_name = AlternateName.new(alternate_name_params)
 
     respond_to do |format|
       if @alternate_name.save
@@ -63,7 +63,7 @@ def update
     @alternate_name = AlternateName.find(params[:id])
 
     respond_to do |format|
-      if @alternate_name.update_attributes(params[:alternate_name])
+      if @alternate_name.update(alternate_name_params)
         format.html { redirect_to @alternate_name.crop, notice: 'Alternate name was successfully updated.' }
         format.json { head :no_content }
       else
@@ -87,4 +87,10 @@ def destroy
       format.json { head :no_content }
     end
   end
+
+  private
+
+  def alternate_name_params
+    params.require(:alternate_name).permit(:crop_id, :name, :creator_id)
+  end
 end

app/controllers/application_controller.rb

@@ -48,7 +48,17 @@ def extract_locale_from_subdomain
   protected
 
   def configure_permitted_parameters
-    devise_parameter_sanitizer.for(:sign_up) {|u| u.permit(:login_name, :email, :password, :password_confirmation, :tos_agreement, :newsletter) }
+    devise_parameter_sanitizer.for(:sign_up) do |u| 
+      u.permit(:login_name, :email, :password, :password_confirmation,
+        :remember_me, :login,
+        # terms of service
+        :tos_agreement,
+        # profile stuff
+        :bio, :location, :latitude, :longitude,
+        # email settings
+        :show_email, :newsletter, :send_notification_email, :send_planting_reminder
+      )
+    end
   end
 
 end

app/controllers/comments_controller.rb

@@ -54,7 +54,7 @@ def edit
   # POST /comments.json
   def create
     params[:comment][:author_id] = current_member.id
-    @comment = Comment.new(params[:comment])
+    @comment = Comment.new(comment_params)
 
     respond_to do |format|
       if @comment.save
@@ -78,7 +78,7 @@ def update
     params[:comment].delete("author_id")
 
     respond_to do |format|
-      if @comment.update_attributes(params[:comment])
+      if @comment.update(comment_params)
         format.html { redirect_to @comment.post, notice: 'Comment was successfully updated.' }
         format.json { head :no_content }
       else
@@ -100,4 +100,10 @@ def destroy
       format.json { head :no_content }
     end
   end
+
+  private 
+
+  def comment_params
+    params.require(:comment).permit(:author_id, :body, :post_id)
+  end
 end

app/controllers/crops_controller.rb

@@ -103,7 +103,7 @@ def edit
   # POST /crops.json
   def create
     params[:crop][:creator_id] = current_member.id
-    @crop = Crop.new(params[:crop])
+    @crop = Crop.new(crop_params)
 
     respond_to do |format|
       if @crop.save
@@ -122,7 +122,7 @@ def update
     @crop = Crop.find(params[:id])
 
     respond_to do |format|
-      if @crop.update_attributes(params[:crop])
+      if @crop.update(crop_params)
         format.html { redirect_to @crop, notice: 'Crop was successfully updated.' }
         format.json { head :no_content }
       else
@@ -143,4 +143,10 @@ def destroy
       format.json { head :no_content }
     end
   end
+
+  private
+
+  def crop_params
+    require(:crop).permit(:en_wikipedia_url, :name, :parent_id, :creator_id, :scientific_names_attributes)
+  end
 end

app/controllers/forums_controller.rb

@@ -44,7 +44,7 @@ def edit
   # POST /forums
   # POST /forums.json
   def create
-    @forum = Forum.new(params[:forum])
+    @forum = Forum.new(forum_params)
 
     respond_to do |format|
       if @forum.save
@@ -63,7 +63,7 @@ def update
     @forum = Forum.find(params[:id])
 
     respond_to do |format|
-      if @forum.update_attributes(params[:forum])
+      if @forum.update(forum_params)
         format.html { redirect_to @forum, notice: 'Forum was successfully updated.' }
         format.json { head :no_content }
       else
@@ -84,4 +84,10 @@ def destroy
       format.json { head :no_content }
     end
   end
+
+  private
+
+  def forum_params
+    params.require(:forum).permit(:description, :name, :owner_id, :slug)
+  end
 end

app/controllers/gardens_controller.rb

@@ -49,7 +49,7 @@ def edit
   # POST /gardens.json
   def create
     params[:garden][:owner_id] = current_member.id
-    @garden = Garden.new(params[:garden])
+    @garden = Garden.new(garden_params)
 
     respond_to do |format|
       if @garden.save
@@ -68,7 +68,7 @@ def update
     @garden = Garden.find(params[:id])
 
     respond_to do |format|
-      if @garden.update_attributes(params[:garden])
+      if @garden.update(garden_params)
         format.html { redirect_to @garden, notice: 'Garden was successfully updated.' }
         format.json { head :no_content }
       else
@@ -89,4 +89,11 @@ def destroy
       format.json { head :no_content }
     end
   end
+
+  private
+
+  def garden_params
+    params.require(:garden).permit(:name, :slug, :owner_id, :description, :active,
+    :location, :latitude, :longitude, :area, :area_unit)
+  end
 end

app/controllers/harvests_controller.rb

@@ -61,7 +61,7 @@ def edit
   def create
     params[:harvest][:owner_id] = current_member.id
     params[:harvested_at] = parse_date(params[:harvested_at])
-    @harvest = Harvest.new(params[:harvest])
+    @harvest = Harvest.new(harvest_params)
 
     respond_to do |format|
       if @harvest.save
@@ -80,7 +80,7 @@ def update
     @harvest = Harvest.find(params[:id])
 
     respond_to do |format|
-      if @harvest.update_attributes(params[:harvest])
+      if @harvest.update(harvest_params)
         format.html { redirect_to @harvest, notice: 'Harvest was successfully updated.' }
         format.json { head :no_content }
       else
@@ -101,4 +101,11 @@ def destroy
       format.json { head :no_content }
     end
   end
+
+  private
+
+  def harvest_params
+    params.require(:harvest).permit(:crop_id, :harvested_at, :description, :owner_id,
+    :quantity, :unit, :weight_quantity, :weight_unit, :plant_part_id, :slug)
+  end
 end

app/controllers/notifications_controller.rb

@@ -47,7 +47,7 @@ def destroy
   # POST /notifications
   def create
     params[:notification][:sender_id] = current_member.id
-    @notification = Notification.new(params[:notification])
+    @notification = Notification.new(notification_params)
     @recipient = Member.find_by_id(params[:notification][:recipient_id])
 
     respond_to do |format|
@@ -58,4 +58,10 @@ def create
       end
     end
   end
+
+  private
+
+  def notification_params
+    params.require(:notification).permit(:sender_id, :recipient_id, :subject, :body, :post_id, :read)
+  end
 end

app/controllers/order_items_controller.rb

@@ -6,7 +6,7 @@ def create
     if params[:order_item][:price]
       params[:order_item][:price] = params[:order_item][:price].to_f * 100 # convert to cents
     end
-    @order_item = OrderItem.new(params[:order_item])
+    @order_item = OrderItem.new(order_item_params)
     @order_item.order = current_member.current_order || Order.create(:member_id => current_member.id)
 
     respond_to do |format|
@@ -19,4 +19,10 @@ def create
       end
     end
   end
+
+  private
+
+  def order_item_params
+    params.require(:order_item).permit(:order_id, :price, :product_id, :quantity)
+  end
 end

app/controllers/photos_controller.rb

@@ -60,7 +60,7 @@ def edit
   # POST /photos.json
   def create
     @photo = Photo.find_by_flickr_photo_id(params[:photo][:flickr_photo_id]) ||
-      Photo.new(params[:photo])
+      Photo.new(photo_params)
     @photo.owner_id = current_member.id
     @photo.set_flickr_metadata
 
@@ -110,7 +110,7 @@ def update
     @photo = Photo.find(params[:id])
 
     respond_to do |format|
-      if @photo.update_attributes(params[:photo])
+      if @photo.update(photo_params)
         format.html { redirect_to @photo, notice: 'Photo was successfully updated.' }
         format.json { head :no_content }
       else
@@ -131,4 +131,11 @@ def destroy
       format.json { head :no_content }
     end
   end
+
+  private
+
+  def photo_params
+    params.require(:photo).permit(:flickr_photo_id, :owner_id, :title, :license_name,
+    :license_url, :thumbnail_url, :fullsize_url, :link_url)
+  end
 end

app/controllers/plant_parts_controller.rb

@@ -42,7 +42,7 @@ def edit
   # POST /plant_parts
   # POST /plant_parts.json
   def create
-    @plant_part = PlantPart.new(params[:plant_part])
+    @plant_part = PlantPart.new(plant_part_params)
 
     respond_to do |format|
       if @plant_part.save
@@ -61,7 +61,7 @@ def update
     @plant_part = PlantPart.find(params[:id])
 
     respond_to do |format|
-      if @plant_part.update_attributes(params[:plant_part])
+      if @plant_part.update(plant_part_params)
         format.html { redirect_to @plant_part, notice: 'Plant part was successfully updated.' }
         format.json { head :no_content }
       else
@@ -82,4 +82,10 @@ def destroy
       format.json { head :no_content }
     end
   end
+
+  private
+
+  def plant_part_params
+    params.require(:plant_part).permit(:name, :slug)
+  end
 end