Enabled strong_parameters across all models/controllers.

All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that. The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method. It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
2025-02-25 18:55:32 -06:00 · 2013-06-06 00:14:32 -07:00
parent a3d62fdf69
commit 0d01c33482
34 changed files with 67 additions and 83 deletions
--- a/app/models/admin_log.rb
+++ b/app/models/admin_log.rb
@@ -2,8 +2,6 @@
 # like deleting users, changing site settings, etc.
 # Use the AdminLogger class to log records to this table.
 class AdminLog < ActiveRecord::Base
-  attr_accessible :action, :admin_id, :target_user_id, :details
-
  belongs_to :admin,        class_name: 'User'
  belongs_to :target_user,  class_name: 'User' # can be nil

--- a/app/models/cas_user_info.rb
+++ b/app/models/cas_user_info.rb
@@ -1,5 +1,3 @@
 class CasUserInfo < ActiveRecord::Base
-  attr_accessible :email, :cas_user_id, :first_name, :gender, :last_name, :name, :user_id, :username, :link
  belongs_to :user
-
 end
--- a/app/models/category.rb
+++ b/app/models/category.rb
@@ -1,6 +1,4 @@
 class Category < ActiveRecord::Base
-  include ActiveModel::ForbiddenAttributesProtection
-
  belongs_to :topic, dependent: :destroy
  belongs_to :topic_only_relative_url,
    select: "id, title, slug",
--- a/app/models/facebook_user_info.rb
+++ b/app/models/facebook_user_info.rb
@@ -1,5 +1,4 @@
 class FacebookUserInfo < ActiveRecord::Base
-  attr_accessible :email, :facebook_user_id, :first_name, :gender, :last_name, :name, :user_id, :username, :link
  belongs_to :user
 end

--- a/app/models/invite.rb
+++ b/app/models/invite.rb
@@ -1,7 +1,6 @@
 require_dependency 'trashable'

 class Invite < ActiveRecord::Base
-  include ActiveModel::ForbiddenAttributesProtection
  include Trashable

  belongs_to :user
--- a/app/models/post_action.rb
+++ b/app/models/post_action.rb
@@ -5,12 +5,9 @@ require_dependency 'trashable'
 class PostAction < ActiveRecord::Base
  class AlreadyActed < StandardError; end

-  include ActiveModel::ForbiddenAttributesProtection
  include RateLimiter::OnCreateRecord
  include Trashable

-  attr_accessible :post_action_type_id, :post_id, :user_id, :post, :user, :post_action_type, :message, :related_post_id, :staff_took_action
-
  belongs_to :post
  belongs_to :user
  belongs_to :post_action_type
--- a/app/models/post_action_type.rb
+++ b/app/models/post_action_type.rb
@@ -1,8 +1,6 @@
 require_dependency 'enum'

 class PostActionType < ActiveRecord::Base
-  attr_accessible :id, :is_flag, :name_key, :icon
-
  class << self
    def ordered
      order('position asc').all
--- a/app/models/site_setting.rb
+++ b/app/models/site_setting.rb
@@ -6,8 +6,6 @@ class SiteSetting < ActiveRecord::Base
  validates_presence_of :name
  validates_presence_of :data_type

-  attr_accessible :description, :name, :value, :data_type
-
  # settings available in javascript under Discourse.SiteSettings
  client_setting(:title, "Discourse")
  client_setting(:logo_url, '/assets/d-logo-sketch.png')
--- a/app/models/topic_allowed_group.rb
+++ b/app/models/topic_allowed_group.rb
@@ -1,7 +1,6 @@
 class TopicAllowedGroup < ActiveRecord::Base
  belongs_to :topic
  belongs_to :group
-  attr_accessible :group_id, :user_id

  validates_uniqueness_of :topic_id, scope: :group_id
 end
--- a/app/models/topic_allowed_user.rb
+++ b/app/models/topic_allowed_user.rb
@@ -1,7 +1,6 @@
 class TopicAllowedUser < ActiveRecord::Base
  belongs_to :topic
  belongs_to :user
-  attr_accessible :topic_id, :user_id

  validates_uniqueness_of :topic_id, scope: :user_id
 end
--- a/app/models/upload.rb
+++ b/app/models/upload.rb
@@ -5,8 +5,6 @@ require 's3'
 require 'local_store'

 class Upload < ActiveRecord::Base
-  include ActiveModel::ForbiddenAttributesProtection
-
  belongs_to :user
  belongs_to :topic

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -7,8 +7,6 @@ require_dependency 'discourse'
 require_dependency 'post_destroyer'

 class User < ActiveRecord::Base
-  attr_accessible :name, :username, :password, :email, :bio_raw, :website
-
  has_many :posts
  has_many :notifications
  has_many :topic_users
--- a/app/models/user_action.rb
+++ b/app/models/user_action.rb
@@ -2,7 +2,6 @@ class UserAction < ActiveRecord::Base
  belongs_to :user
  belongs_to :target_post, class_name: "Post"
  belongs_to :target_topic, class_name: "Topic"
-  attr_accessible :acting_user_id, :action_type, :target_topic_id, :target_post_id, :target_user_id, :user_id

  validates_presence_of :action_type
  validates_presence_of :user_id
--- a/app/models/user_open_id.rb
+++ b/app/models/user_open_id.rb
@@ -1,6 +1,5 @@
 class UserOpenId < ActiveRecord::Base
  belongs_to :user
-  attr_accessible :email, :url, :user_id, :active

  validates_presence_of :email
  validates_presence_of :url
--- a/app/models/user_visit.rb
+++ b/app/models/user_visit.rb
@@ -1,5 +1,4 @@
 class UserVisit < ActiveRecord::Base
-  attr_accessible :visited_at, :user_id

  # A list of visits in the last month by day
  def self.by_day(sinceDaysAgo=30)