FIX: Sanitize parameters provided to user actions

Currently, providing things like `filter[%24acunetix]=1` to
`UserActionsController#index` will throw an exception because instead of
getting a string as expected, we get a hash instead.

This patch simply uses `#permit` from strong parameters properly: first
we apply it on the whole parameters, this way it filters the keys we’re
interested in. By doing this, if the value is a hash for example, the
whole key/value pair will be ignored completely.

app/controllers/user_actions_controller.rb

@@ -2,13 +2,12 @@
 
 class UserActionsController < ApplicationController
   def index
-    params.require(:username)
-    params.permit(:filter, :offset, :acting_username, :limit)
+    user_actions_params.require(:username)
 
     user = fetch_user_from_params(include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts))
-    offset = [0, params[:offset].to_i].max
-    action_types = (params[:filter] || "").split(",").map(&:to_i)
-    limit = params.fetch(:limit, 30).to_i
+    offset = [0, user_actions_params[:offset].to_i].max
+    action_types = (user_actions_params[:filter] || "").split(",").map(&:to_i)
+    limit = user_actions_params.fetch(:limit, 30).to_i
 
     raise Discourse::NotFound unless guardian.can_see_profile?(user)
     raise Discourse::NotFound unless guardian.can_see_user_actions?(user, action_types)
@@ -20,7 +19,7 @@ class UserActionsController < ApplicationController
       limit: limit,
       action_types: action_types,
       guardian: guardian,
-      ignore_private_messages: params[:filter] ? false : true,
+      ignore_private_messages: params[:filter].blank?,
       acting_username: params[:acting_username]
     }
 
@@ -38,4 +37,9 @@ class UserActionsController < ApplicationController
     # TODO should preload messages to avoid extra http req
   end
 
+  private
+
+  def user_actions_params
+    @user_actions_params ||= params.permit(:username, :filter, :offset, :acting_username, :limit)
+  end
 end