Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Prevent mass assignment with strong_parameters instead of attr_access…

…ible
  • Loading branch information...
commit 70049163471eb7d04a035bdbc1689f75f4729826 1 parent fe88a0f
@sferik sferik authored
View
1  Gemfile
@@ -10,6 +10,7 @@ gem 'haml', '~> 3.2.0.alpha'
gem 'http_accept_language'
gem 'pg'
gem 'rails_admin'
+gem 'strong_parameters'
gem 'validates_formatting_of'
platforms :ruby_18 do
View
5 Gemfile.lock
@@ -142,6 +142,10 @@ GEM
rack (~> 1.0)
tilt (~> 1.1, != 1.3.0)
sqlite3 (1.3.6)
+ strong_parameters (0.1.5)
+ actionpack (~> 3.1)
+ activemodel (~> 3.1)
+ railties (~> 3.1)
thor (0.16.0)
tilt (1.3.3)
treetop (1.4.12)
@@ -176,6 +180,7 @@ DEPENDENCIES
sass-rails
simplecov
sqlite3
+ strong_parameters
uglifier
validates_formatting_of
webmock
View
6 app/controllers/passwords_controller.rb
@@ -18,4 +18,10 @@ def update
self.resource = resource_class.reset_password_by_token(resource_params)
redirect_to(controller: "main", action: "index")
end
+
+private
+
+ def resource_params
+ params.require(:user).permit(:email, :password, :password_confirmation, :reset_password_token)
+ end
end
View
8 app/controllers/reminders_controller.rb
@@ -2,7 +2,7 @@ class RemindersController < ApplicationController
respond_to :json
def create
- @reminder = Reminder.new(params[:reminder])
+ @reminder = Reminder.new(reminder_params)
@reminder.from_user = current_user
if @reminder.save
ThingMailer.reminder(@reminder.thing).deliver
@@ -12,4 +12,10 @@ def create
render(json: {errors: @reminder.errors}, status: 500)
end
end
+
+private
+
+ def reminder_params
+ params.require(:reminder).permit(:thing_id, :to_user_id)
+ end
end
View
8 app/controllers/things_controller.rb
@@ -12,10 +12,16 @@ def show
def update
@thing = Thing.find(params[:id])
- if @thing.update_attributes(params[:thing])
+ if @thing.update_attributes(thing_params)
respond_with @thing
else
render(json: {errors: @thing.errors}, status: 500)
end
end
+
+ private
+
+ def thing_params
+ params.require(:thing).permit(:name, :user_id)
+ end
end
View
10 app/controllers/users_controller.rb
@@ -24,4 +24,14 @@ def create
render(json: {errors: resource.errors}, status: 500)
end
end
+
+private
+
+ def resource_params
+ params.require(:user).permit(:address_1, :address_2, :city,
+ :current_password, :email, :name,
+ :organization, :password,
+ :password_confirmation, :remember_me,
+ :sms_number, :state, :voice_number, :zip)
+ end
end
View
2  app/models/reminder.rb
@@ -1,5 +1,5 @@
class Reminder < ActiveRecord::Base
- attr_accessible :thing_id, :to_user_id
+ include ActiveModel::ForbiddenAttributesProtection
validates_presence_of :from_user, :to_user, :thing
belongs_to :from_user, class_name: "User"
belongs_to :to_user, class_name: "User"
View
2  app/models/thing.rb
@@ -1,6 +1,6 @@
class Thing < ActiveRecord::Base
+ include ActiveModel::ForbiddenAttributesProtection
include Geokit::Geocoders
- attr_accessible :name, :user_id
validates_uniqueness_of :city_id, allow_nil: true
validates_presence_of :lat, :lng
belongs_to :user
View
4 app/models/user.rb
@@ -1,12 +1,10 @@
class User < ActiveRecord::Base
+ include ActiveModel::ForbiddenAttributesProtection
# Include default devise modules. Others available are:
# :token_authenticatable, :confirmable,
# :lockable, :timeoutable and :omniauthable
devise :database_authenticatable, :registerable, :recoverable, :rememberable,
:trackable, :validatable
- attr_accessible :address_1, :address_2, :city, :email, :name, :organization,
- :password, :password_confirmation, :remember_me, :sms_number, :state,
- :voice_number, :zip
validates_formatting_of :email, using: :email
validates_formatting_of :sms_number, using: :us_phone, allow_blank: true
validates_formatting_of :voice_number, using: :us_phone, allow_blank: true
View
2  config/application.rb
@@ -51,7 +51,7 @@ class Application < Rails::Application
# This will create an empty whitelist of attributes available for mass-assignment for all models
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
# parameters by using an attr_accessible or attr_protected declaration.
- config.active_record.whitelist_attributes = true
+ # config.active_record.whitelist_attributes = true
# Enable the asset pipeline
config.assets.enabled = true
Please sign in to comment.
Something went wrong with that request. Please try again.