Strong parameters for User

Fetch user params instead of require.

Strong parameters for User
0e26a496 · James Fleming · Jonne Haß · 686d3baa · 0e26a496 · 0e26a496
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -9,7 +9,7 @@ class RegistrationsController < Devise::RegistrationsController
  before_filter -> { @css_framework = :bootstrap }, only: [:new]

  def create
-    @user = User.build(params[:user])
+    @user = User.build(user_params)
    @user.process_invite_acceptence(invite) if invite.present?

    if @user.save
@@ -54,4 +54,8 @@ class RegistrationsController < Devise::RegistrationsController
  end

  helper_method :invite
+
+  def user_params
+    params.require(:user).permit(:username, :email, :getting_started, :password, :password_confirmation, :language, :disable_mail, :invitation_service, :invitation_identifier, :show_community_spotlight_in_stream, :auto_follow_back, :auto_follow_back_aspect_id, :remember_me)
+  end
 end
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -24,7 +24,7 @@ class UsersController < ApplicationController
    password_changed = false
    @user = current_user

-    if u = params[:user]
+    if u = user_params
      u.delete(:password) if u[:password].blank?
      u.delete(:password_confirmation) if u[:password].blank? and u[:password_confirmation].blank?
      u.delete(:language) if u[:language].blank?
@@ -125,7 +125,8 @@ class UsersController < ApplicationController

  def getting_started_completed
    user = current_user
-    user.update_attributes(:getting_started => false)
+    user.getting_started = false
+    user.save
    redirect_to stream_path
  end

@@ -157,4 +158,10 @@ class UsersController < ApplicationController
    end
    redirect_to edit_user_path
  end
+
+  private
+
+  def user_params
+    params.fetch(:user).permit(:username, :email, :current_password, :password, :password_confirmation, :language, :disable_mail, :invitation_service, :invitation_identifier, :show_community_spotlight_in_stream, :auto_follow_back, :auto_follow_back_aspect_id, :remember_me, :email_preferences => [:also_commented, :mentioned, :comment_on_post, :private_message, :started_sharing, :liked, :reshared])
+  end
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -7,6 +7,7 @@ class User < ActiveRecord::Base
  include Connecting
  include Querying
  include SocialActions
+  include ActiveModel::ForbiddenAttributesProtection

  scope :logged_in_since, lambda { |time| where('last_sign_in_at > ?', time) }
  scope :monthly_actives, lambda { |time = Time.now| logged_in_since(time - 1.month) }
@@ -67,21 +68,6 @@ class User < ActiveRecord::Base
  before_save :guard_unconfirmed_email,
              :save_person!

-  attr_accessible :username,
-                  :email,
-                  :getting_started,
-                  :password,
-                  :password_confirmation,
-                  :language,
-                  :disable_mail,
-                  :invitation_service,
-                  :invitation_identifier,
-                  :show_community_spotlight_in_stream,
-                  :auto_follow_back,
-                  :auto_follow_back_aspect_id,
-                  :remember_me
-
-
  def self.all_sharing_with_person(person)
    User.joins(:contacts).where(:contacts => {:person_id => person.id})
  end