github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Enabled strong_parameters across all models/controllers.

Browse Source 
All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that.

The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method.

It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
This commit is contained in:
Ian Christian Myers
2013-06-06 00:14:32 -07:00
parent a3d62fdf69
commit 0d01c33482
34 changed files with 67 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
app/controllers/topics_controller.rb
View File

@ -78,7 +78,8 @@ class TopicsController < ApplicationController
end
def similar_to
requires_parameters(:title, :raw)
params.require(:title)
params.require(:raw)
title, raw = params[:title], params[:raw]
raise Discourse::InvalidParameters.new(:title) if title.length < SiteSetting.min_title_similar_length
@ -89,7 +90,8 @@ class TopicsController < ApplicationController
end
def status
requires_parameters(:status, :enabled)
params.require(:status)
params.require(:enabled)
raise Discourse::InvalidParameters.new(:status) unless %w(visible closed pinned archived).include?(params[:status])
@topic = Topic.where(id: params[:topic_id].to_i).first
@ -115,7 +117,7 @@ class TopicsController < ApplicationController
end
def autoclose
requires_parameter(:auto_close_days)
raise Discourse::InvalidParameters.new(:auto_close_days) unless params.has_key?(:auto_close_days)
@topic = Topic.where(id: params[:topic_id].to_i).first
guardian.ensure_can_moderate!(@topic)
@topic.auto_close_days = params[:auto_close_days]
@ -136,7 +138,7 @@ class TopicsController < ApplicationController
end
def invite
requires_parameter(:user)
params.require(:user)
topic = Topic.where(id: params[:topic_id]).first
guardian.ensure_can_invite_to!(topic)
@ -154,7 +156,7 @@ class TopicsController < ApplicationController
end
def merge_topic
requires_parameters(:destination_topic_id)
params.require(:destination_topic_id)
topic = Topic.where(id: params[:topic_id]).first
guardian.ensure_can_move_posts!(topic)
@ -168,7 +170,7 @@ class TopicsController < ApplicationController
end
def move_posts
requires_parameters(:post_ids)
params.require(:post_ids)
topic = Topic.where(id: params[:topic_id]).first
guardian.ensure_can_move_posts!(topic)