diff --git a/app/controllers/api/openid_connect/authorizations_controller.rb b/app/controllers/api/openid_connect/authorizations_controller.rb
index cc2e6a0a62e6e821e446d89eee4227b36a5c708b..94f2680105d6461b0d7e1fc025641fb04025f3ff 100644
--- a/app/controllers/api/openid_connect/authorizations_controller.rb
+++ b/app/controllers/api/openid_connect/authorizations_controller.rb
@@ -205,7 +205,7 @@ module Api
         if prompt && prompt.include?("none")
           handle_prompt_none
         elsif prompt && prompt.include?("login")
-          new_params = params.except("controller", "action").merge(prompt: prompt.remove("login"))
+          new_params = params.except("controller", "action").permit!.to_h.merge(prompt: prompt.remove("login"))
           reauthenticate(new_params)
         else
           authenticate_user!
diff --git a/app/controllers/invitations_controller.rb b/app/controllers/invitations_controller.rb
index 66653e83e1b619216f02acfa917be8febbf4a3d0..402ce7e4d8395f0f2b85436600ec90ee85a4e4b3 100644
--- a/app/controllers/invitations_controller.rb
+++ b/app/controllers/invitations_controller.rb
@@ -71,6 +71,6 @@ class InvitationsController < ApplicationController
   end
 
   def inviter_params
-    params.require(:email_inviter).permit(:message, :locale, :emails)
+    params.require(:email_inviter).permit(:message, :locale, :emails).to_h
   end
 end
diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb
index d8b59fb4a480ba057e964799f9e5b6f326959095..d4da48654447cb2cd2a35ac42ff48f509b08d662 100644
--- a/app/controllers/photos_controller.rb
+++ b/app/controllers/photos_controller.rb
@@ -125,27 +125,28 @@ class PhotosController < ApplicationController
   end
 
   def legacy_create
-    if params[:photo][:aspect_ids] == "all"
-      params[:photo][:aspect_ids] = current_user.aspects.collect { |x| x.id }
-    elsif params[:photo][:aspect_ids].is_a?(Hash)
-      params[:photo][:aspect_ids] = params[:photo][:aspect_ids].values
+    photo_params = params.require(:photo).permit(:pending, :set_profile_photo, aspect_ids: [])
+    if photo_params[:aspect_ids] == "all"
+      photo_params[:aspect_ids] = current_user.aspects.map(&:id)
+    elsif photo_params[:aspect_ids].is_a?(Hash)
+      photo_params[:aspect_ids] = params[:photo][:aspect_ids].values
     end
 
-    params[:photo][:user_file] = file_handler(params)
+    photo_params[:user_file] = file_handler(params)
 
-    @photo = current_user.build_post(:photo, params[:photo])
+    @photo = current_user.build_post(:photo, photo_params)
 
     if @photo.save
 
       unless @photo.pending
         unless @photo.public?
-          aspects = current_user.aspects_from_ids(params[:photo][:aspect_ids])
+          aspects = current_user.aspects_from_ids(photo_params[:aspect_ids])
           current_user.add_to_streams(@photo, aspects)
         end
-        current_user.dispatch_post(@photo, :to => params[:photo][:aspect_ids])
+        current_user.dispatch_post(@photo, to: photo_params[:aspect_ids])
       end
 
-      if params[:photo][:set_profile_photo]
+      if photo_params[:set_profile_photo]
         profile_params = {:image_url => @photo.url(:thumb_large),
                           :image_url_medium => @photo.url(:thumb_medium),
                           :image_url_small => @photo.url(:thumb_small)}
diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb
index bb4d9b07050352f652925e3405f41fa2462b1df6..2ff157c49a130c7c4167ad5b8ce630e94c6aecdc 100644
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -77,6 +77,6 @@ class ProfilesController < ApplicationController
   def profile_params
     params.require(:profile).permit(:first_name, :last_name, :gender, :bio,
                                     :location, :searchable, :tag_string, :nsfw,
-                                    :public_details, date: %i(year month day)) || {}
+                                    :public_details, date: %i[year month day]).to_h || {}
   end
 end
diff --git a/app/controllers/status_messages_controller.rb b/app/controllers/status_messages_controller.rb
index e65e4b54a2add31ce7339207e32bfe09bf7cbc13..5033f5a667a5c7e34c97d6912786aad0d84ca78e 100644
--- a/app/controllers/status_messages_controller.rb
+++ b/app/controllers/status_messages_controller.rb
@@ -47,12 +47,7 @@ class StatusMessagesController < ApplicationController
   end
 
   def create
-    normalized_params = params.merge(
-      services:   normalize_services,
-      aspect_ids: normalize_aspect_ids,
-      public:     normalize_public_flag
-    )
-    status_message = StatusMessageCreationService.new(current_user).create(normalized_params)
+    status_message = StatusMessageCreationService.new(current_user).create(normalize_params)
     respond_to do |format|
       format.html { redirect_to :back }
       format.mobile { redirect_to stream_path }
@@ -89,8 +84,19 @@ class StatusMessagesController < ApplicationController
     request.env["HTTP_REFERER"].include?("/people/" + current_user.guid)
   end
 
-  def normalize_services
-    [*params[:services]].compact
+  def normalize_params
+    params.permit(
+      :location_address,
+      :location_coords,
+      :poll_question,
+      status_message: %i[text provider_display_name],
+      poll_answers:   []
+    ).to_h.merge(
+      services:   [*params[:services]].compact,
+      aspect_ids: normalize_aspect_ids,
+      public:     [*params[:aspect_ids]].first == "public",
+      photos:     [*params[:photos]].compact
+    )
   end
 
   def normalize_aspect_ids
@@ -102,10 +108,6 @@ class StatusMessagesController < ApplicationController
     end
   end
 
-  def normalize_public_flag
-    [*params[:aspect_ids]].first == "public"
-  end
-
   def remove_getting_started
     current_user.disable_getting_started
   end