enforce strong params for AdminBlacklistedEmail (#2719)

otwcode · Jan 29, 2017 · 6507472 · 6507472
1 parent 2e2f0e0
commit 6507472
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 8 deletions.
diff --git a/app/controllers/admin/blacklisted_emails_controller.rb b/app/controllers/admin/blacklisted_emails_controller.rb
@@ -3,7 +3,7 @@ class Admin::BlacklistedEmailsController < ApplicationController
   before_filter :admin_only
 
   def index
-    @admin_blacklisted_email = AdminBlacklistedEmail.new 
+    @admin_blacklisted_email = AdminBlacklistedEmail.new
     if params[:query]
       @admin_blacklisted_emails = AdminBlacklistedEmail.where(["email LIKE ?", '%' + params[:query] + '%'])
       @admin_blacklisted_emails = @admin_blacklisted_emails.paginate(page: params[:page], per_page: ArchiveConfig.ITEMS_PER_PAGE)
@@ -15,7 +15,7 @@ def new
   end
 
   def create
-    @admin_blacklisted_email = AdminBlacklistedEmail.new(params[:admin_blacklisted_email])
+    @admin_blacklisted_email = AdminBlacklistedEmail.new(admin_blacklisted_email_params)
 
     if @admin_blacklisted_email.save
       flash[:notice] = ts("Email address #{@admin_blacklisted_email.email} added to blacklist.")
@@ -28,8 +28,16 @@ def create
   def destroy
     @admin_blacklisted_email = AdminBlacklistedEmail.find(params[:id])
     @admin_blacklisted_email.destroy
-    
+
     flash[:notice] = ts("Email address #{@admin_blacklisted_email.email} removed from blacklist.")
     redirect_to admin_blacklisted_emails_url
   end
+
+  private
+
+  def admin_blacklisted_email_params
+    params.require(:admin_blacklisted_email).permit(
+      :email
+    )
+  end
 end
diff --git a/app/models/admin_blacklisted_email.rb b/app/models/admin_blacklisted_email.rb
@@ -1,14 +1,16 @@
 class AdminBlacklistedEmail < ActiveRecord::Base
+  include ActiveModel::ForbiddenAttributesProtection
+
   attr_accessible :email
 
   before_validation :canonicalize_email
-  
+
   validates :email, presence: true, uniqueness: true, email_veracity: true
 
   def canonicalize_email
     self.email = AdminBlacklistedEmail.canonical_email(self.email) if self.email
   end
-  
+
   # Produces a canonical version of a given email reduced to its simplest form
   # This is what we store in the db, so that if we subsequently check a submitted email,
   #  we only need to clean the submitted email the same way and look for it.
@@ -24,13 +26,13 @@ def self.canonical_email(email_to_clean)
 
     # strip out anything after a +
     canonical_email.sub!(/(\+.*)(@.*$)/, '\2')
-    
+
     return canonical_email
   end
-    
+
   # Check if an email is
   def self.is_blacklisted?(email_to_check)
     AdminBlacklistedEmail.where(email: AdminBlacklistedEmail.canonical_email(email_to_check)).exists?
   end
-  
+
 end