AO3-4799 Strong parameters for favorite tags (#2685)

* Testing favorite tag with protection * Add strong params to favorite tag
otwcode · Jan 4, 2017 · 5e5b4be · 5e5b4be
1 parent 61436f2
commit 5e5b4be
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/app/controllers/favorite_tags_controller.rb b/app/controllers/favorite_tags_controller.rb
@@ -8,7 +8,7 @@ class FavoriteTagsController < ApplicationController
 
   # POST /favorites_tags
   def create
-    @favorite_tag = current_user.favorite_tags.build(params[:favorite_tag])
+    @favorite_tag = current_user.favorite_tags.build(favorite_tag_params)
     success_message = ts("You have successfully added %{tag_name} to your favorite tags. You can find them on the <a href='#{root_path}'>Archive homepage</a>.", tag_name: @favorite_tag.tag_name)
     if @favorite_tag.save
       respond_to do |format|
@@ -43,4 +43,10 @@ def load_user
     @user = User.find_by_login(params[:user_id])
     @check_ownership_of = @user
   end
+
+  def favorite_tag_params
+    params.require(:favorite_tag).permit(
+      :tag_id
+    )
+  end
 end
diff --git a/app/models/favorite_tag.rb b/app/models/favorite_tag.rb
@@ -1,4 +1,6 @@
 class FavoriteTag < ActiveRecord::Base
+  include ActiveModel::ForbiddenAttributesProtection
+
   belongs_to :user
   belongs_to :tag