Strong parameters for User

Fetch user params instead of require.

app/controllers/registrations_controller.rb

@@ -9,7 +9,7 @@ class RegistrationsController < Devise::RegistrationsController
   before_filter -> { @css_framework = :bootstrap }, only: [:new]
 
   def create
-    @user = User.build(params[:user])
+    @user = User.build(user_params)
     @user.process_invite_acceptence(invite) if invite.present?
 
     if @user.save
@@ -54,4 +54,8 @@ class RegistrationsController < Devise::RegistrationsController
   end
 
   helper_method :invite
+
+  def user_params
+    params.require(:user).permit(:username, :email, :getting_started, :password, :password_confirmation, :language, :disable_mail, :invitation_service, :invitation_identifier, :show_community_spotlight_in_stream, :auto_follow_back, :auto_follow_back_aspect_id, :remember_me)
+  end
 end

app/controllers/users_controller.rb

@@ -24,7 +24,7 @@ class UsersController < ApplicationController
     password_changed = false
     @user = current_user
 
-    if u = params[:user]
+    if u = user_params
       u.delete(:password) if u[:password].blank?
       u.delete(:password_confirmation) if u[:password].blank? and u[:password_confirmation].blank?
       u.delete(:language) if u[:language].blank?
@@ -125,7 +125,8 @@ class UsersController < ApplicationController
 
   def getting_started_completed
     user = current_user
-    user.update_attributes(:getting_started => false)
+    user.getting_started = false
+    user.save
     redirect_to stream_path
   end
 
@@ -157,4 +158,10 @@ class UsersController < ApplicationController
     end
     redirect_to edit_user_path
   end
+
+  private
+
+  def user_params
+    params.fetch(:user).permit(:username, :email, :current_password, :password, :password_confirmation, :language, :disable_mail, :invitation_service, :invitation_identifier, :show_community_spotlight_in_stream, :auto_follow_back, :auto_follow_back_aspect_id, :remember_me, :email_preferences => [:also_commented, :mentioned, :comment_on_post, :private_message, :started_sharing, :liked, :reshared])
+  end
 end

app/models/user.rb

@@ -7,6 +7,7 @@ class User < ActiveRecord::Base
   include Connecting
   include Querying
   include SocialActions
+  include ActiveModel::ForbiddenAttributesProtection
 
   scope :logged_in_since, lambda { |time| where('last_sign_in_at > ?', time) }
   scope :monthly_actives, lambda { |time = Time.now| logged_in_since(time - 1.month) }
@@ -67,21 +68,6 @@ class User < ActiveRecord::Base
   before_save :guard_unconfirmed_email,
               :save_person!
 
-  attr_accessible :username,
-                  :email,
-                  :getting_started,
-                  :password,
-                  :password_confirmation,
-                  :language,
-                  :disable_mail,
-                  :invitation_service,
-                  :invitation_identifier,
-                  :show_community_spotlight_in_stream,
-                  :auto_follow_back,
-                  :auto_follow_back_aspect_id,
-                  :remember_me
-
-
   def self.all_sharing_with_person(person)
     User.joins(:contacts).where(:contacts => {:person_id => person.id})
   end