Prevent mass assignment with strong_parameters instead of attr_accessible

2012-11-15 09:34:19 -08:00 · 2012-11-15 09:34:19 -08:00 · 7004916347
parent fe88a0fafb
commit 7004916347
10 changed files with 40 additions and 8 deletions
--- a/1
+++ b/1
@ -10,6 +10,7 @@ gem 'haml', '~> 3.2.0.alpha'
 gem 'http_accept_language'
 gem 'pg'
 gem 'rails_admin'
+gem 'strong_parameters'
 gem 'validates_formatting_of'

 platforms :ruby_18 do
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -142,6 +142,10 @@ GEM
      rack (~> 1.0)
      tilt (~> 1.1, != 1.3.0)
    sqlite3 (1.3.6)
+    strong_parameters (0.1.5)
+      actionpack (~> 3.1)
+      activemodel (~> 3.1)
+      railties (~> 3.1)
    thor (0.16.0)
    tilt (1.3.3)
    treetop (1.4.12)
@ -176,6 +180,7 @@ DEPENDENCIES
  sass-rails
  simplecov
  sqlite3
+  strong_parameters
  uglifier
  validates_formatting_of
  webmock
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@ -18,4 +18,10 @@ class PasswordsController < Devise::PasswordsController
    self.resource = resource_class.reset_password_by_token(resource_params)
    redirect_to(controller: "main", action: "index")
  end
+
+private
+
+  def resource_params
+    params.require(:user).permit(:email, :password, :password_confirmation, :reset_password_token)
+  end
 end
--- a/app/controllers/reminders_controller.rb
+++ b/app/controllers/reminders_controller.rb
@ -2,7 +2,7 @@ class RemindersController < ApplicationController
  respond_to :json

  def create
-    @reminder = Reminder.new(params[:reminder])
+    @reminder = Reminder.new(reminder_params)
    @reminder.from_user = current_user
    if @reminder.save
      ThingMailer.reminder(@reminder.thing).deliver
@ -12,4 +12,10 @@ class RemindersController < ApplicationController
      render(json: {errors: @reminder.errors}, status: 500)
    end
  end
+
+private
+
+  def reminder_params
+    params.require(:reminder).permit(:thing_id, :to_user_id)
+  end
 end
--- a/app/controllers/things_controller.rb
+++ b/app/controllers/things_controller.rb
@ -12,10 +12,16 @@ class ThingsController < ApplicationController

  def update
    @thing = Thing.find(params[:id])
-    if @thing.update_attributes(params[:thing])
+    if @thing.update_attributes(thing_params)
      respond_with @thing
    else
      render(json: {errors: @thing.errors}, status: 500)
    end
  end
+
+  private
+
+  def thing_params
+    params.require(:thing).permit(:name, :user_id)
+  end
 end
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -24,4 +24,14 @@ class UsersController < Devise::RegistrationsController
      render(json: {errors: resource.errors}, status: 500)
    end
  end
+
+private
+
+  def resource_params
+    params.require(:user).permit(:address_1, :address_2, :city,
+                                 :current_password, :email, :name,
+                                 :organization, :password,
+                                 :password_confirmation, :remember_me,
+                                 :sms_number, :state, :voice_number, :zip)
+  end
 end
--- a/app/models/reminder.rb
+++ b/app/models/reminder.rb
@ -1,5 +1,5 @@
 class Reminder < ActiveRecord::Base
-  attr_accessible :thing_id, :to_user_id
+  include ActiveModel::ForbiddenAttributesProtection
  validates_presence_of :from_user, :to_user, :thing
  belongs_to :from_user, class_name: "User"
  belongs_to :to_user, class_name: "User"
--- a/app/models/thing.rb
+++ b/app/models/thing.rb
@ -1,6 +1,6 @@
 class Thing < ActiveRecord::Base
+  include ActiveModel::ForbiddenAttributesProtection
  include Geokit::Geocoders
-  attr_accessible :name, :user_id
  validates_uniqueness_of :city_id, allow_nil: true
  validates_presence_of :lat, :lng
  belongs_to :user
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -1,12 +1,10 @@
 class User < ActiveRecord::Base
+  include ActiveModel::ForbiddenAttributesProtection
  # Include default devise modules. Others available are:
  # :token_authenticatable, :confirmable,
  # :lockable, :timeoutable and :omniauthable
  devise :database_authenticatable, :registerable, :recoverable, :rememberable,
    :trackable, :validatable
-  attr_accessible :address_1, :address_2, :city, :email, :name, :organization,
-    :password, :password_confirmation, :remember_me, :sms_number, :state,
-    :voice_number, :zip
  validates_formatting_of :email, using: :email
  validates_formatting_of :sms_number, using: :us_phone, allow_blank: true
  validates_formatting_of :voice_number, using: :us_phone, allow_blank: true
--- a/config/application.rb
+++ b/config/application.rb
@ -51,7 +51,7 @@ module AdoptAThing
    # This will create an empty whitelist of attributes available for mass-assignment for all models
    # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
    # parameters by using an attr_accessible or attr_protected declaration.
-    config.active_record.whitelist_attributes = true
+    # config.active_record.whitelist_attributes = true

    # Enable the asset pipeline
    config.assets.enabled = true