Enabled strong_parameters across all models/controllers.

All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that. The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method. It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
2025-05-22 22:43:33 +08:00 · 2013-06-06 00:14:32 -07:00
parent a3d62fdf69
commit 0d01c33482
34 changed files with 67 additions and 83 deletions
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@ -6,7 +6,8 @@ class SessionController < ApplicationController
  skip_before_filter :redirect_to_login_if_required

  def create
-    requires_parameter(:login, :password)
+    params.require(:login)
+    params.require(:password)

    login = params[:login]
    login = login[1..-1] if login[0] == "@"
@ -47,7 +48,7 @@ class SessionController < ApplicationController
  end

  def forgot_password
-    requires_parameter(:login)
+    params.require(:login)

    user = User.where('username_lower = :username or email = :email', username: params[:login].downcase, email: Email.downcase(params[:login])).first
    if user.present?