AO3-4894 Implement strong params for Comment (#2790)

* A03-4828 Implements strong params for ExternalWork

* A03-4828 Adds strong params to BookmarksController as it hits the ExternalWork model that is now protected by ForbiddenAttributesProtection

* A03-4828 Adds polymorphic bookmark params

* A03-4828 Adds category_string to ExternalWork work_params

* A03-4828 Updates external_work work_params to permit category_string as an array

* AO3-4894 Implements strong parameters on Comment

* AO3-4894 Cleans branch by removing changes polluted from external works

* AO3-4894 Fixes issue with edited_at not getting merged in with strong params

* AO3-4894 Removes unreviewed param

app/controllers/comments_controller.rb

@@ -23,7 +23,7 @@ class CommentsController < ApplicationController
 
   def check_pseud_ownership
     if params[:comment][:pseud_id]
-      pseud = Pseud.find(params[:comment][:pseud_id])
+      pseud = Pseud.find(comment_params[:pseud_id])
       unless pseud && current_user && current_user.pseuds.include?(pseud)
         flash[:error] = ts("You can't comment with that pseud.")
         redirect_to root_path and return
@@ -63,7 +63,7 @@ def check_anonymous_comment_preference
       redirect_to work_path(parent)
     end
   end
-  
+
   def check_unreviewed
     if @commentable && @commentable.respond_to?(:unreviewed?) && @commentable.unreviewed?
       flash[:error] = ts("Sorry, you cannot reply to an unapproved comment.")
@@ -74,7 +74,7 @@ def check_unreviewed
       end
     end
   end
-  
+
   def check_permission_to_review
     parent = find_parent
     unless logged_in_as_admin? || current_user_owns?(parent)
@@ -111,7 +111,7 @@ def check_tag_wrangler_access
   def check_permission_to_delete
     access_denied(:redirect => @comment) unless logged_in_as_admin? || current_user_owns?(@comment) || current_user_owns?(@comment.ultimate_parent)
   end
-  
+
   # Comments cannot be edited after they've been replied to
   def check_permission_to_edit
     unless @comment && @comment.count_all_comments == 0
@@ -187,7 +187,7 @@ def new
     else
       @comment = Comment.new
       @controller_name = params[:controller_name] if params[:controller_name]
-      @name = 
+      @name =
         case @commentable.class.name
           when /Work/
             @commentable.title
@@ -220,7 +220,7 @@ def create
       flash[:error] = ts("What did you want to comment on?")
       redirect_back_or_default(root_path)
     else
-      @comment = Comment.new(params[:comment])
+      @comment = Comment.new(comment_params)
       @comment.ip_address = request.remote_ip
       @comment.user_agent = request.env['HTTP_USER_AGENT']
       @comment.commentable = Comment.commentable_object(@commentable)
@@ -274,12 +274,12 @@ def create
   # PUT /comments/1
   # PUT /comments/1.xml
   def update
-    params[:comment][:edited_at] = Time.current
-    if @comment.update_attributes(params[:comment])
+    updated_comment_params = comment_params.merge(edited_at: Time.current)
+    if @comment.update_attributes(updated_comment_params)
       flash[:comment_notice] = ts('Comment was successfully updated.')
       respond_to do |format|
-        format.html do 
-          redirect_to comment_path(@comment) and return if @comment.unreviewed? 
+        format.html do
+          redirect_to comment_path(@comment) and return if @comment.unreviewed?
           redirect_to_comment(@comment)
         end
         format.js # updating the comment in place
@@ -312,7 +312,7 @@ def destroy
       redirect_to_all_comments(parent, {:show_comments => true})
     end
   end
-  
+
   def review
     @comment = Comment.find(params[:id])
     if @comment && current_user_owns?(@comment.ultimate_parent) && @comment.unreviewed?
@@ -334,7 +334,7 @@ def review
       end
     end
   end
-  
+
   def review_all
     unless @commentable && current_user_owns?(@commentable)
       flash[:error] = ts("What did you want to review comments on?")
@@ -534,4 +534,12 @@ def redirect_to_all_comments(commentable, options = {})
                   :page => options[:page]
     end
   end
+
+  private
+
+  def comment_params
+    params.require(:comment).permit(
+      :pseud_id, :content, :name, :email, :edited_at
+    )
+  end
 end

app/models/comment.rb

@@ -1,5 +1,5 @@
 class Comment < ActiveRecord::Base
-
+  include ActiveModel::ForbiddenAttributesProtection
   include HtmlCleaner
 
   attr_protected :content_sanitizer_version, :unreviewed
@@ -23,7 +23,7 @@ class Comment < ActiveRecord::Base
   def check_for_spam
     errors.add(:base, ts("This comment looks like spam to our system, sorry! Please try again, or create an account to comment.")) unless check_for_spam?
   end
-  
+
   validates :content, :uniqueness => {:scope => [:commentable_id, :commentable_type, :name, :email, :pseud_id], :message => ts("^This comment has already been left on this work. (It may not appear right away for performance reasons.)")}
 
   scope :recent, lambda { |*args| {:conditions => ["created_at > ?", (args.first || 1.week.ago.to_date)]} }
@@ -71,17 +71,17 @@ def set_thread_for_replies
   def set_parent_and_unreviewed
     self.parent = self.reply_comment? ? self.commentable.parent : self.commentable
     # we only mark comments as unreviewed if moderated commenting is enabled on their parent
-    self.unreviewed = self.parent.respond_to?(:moderated_commenting_enabled?) && 
-                      self.parent.moderated_commenting_enabled? && 
+    self.unreviewed = self.parent.respond_to?(:moderated_commenting_enabled?) &&
+                      self.parent.moderated_commenting_enabled? &&
                       !User.current_user.try(:is_author_of?, self.ultimate_parent)
     return true # because if reviewed is the return value, when it's false the record won't save!
   end
-  
+
   # is this a comment by the creator of the ultimate parent
   def is_creator_comment?
     pseud && pseud.user && pseud.user.try(:is_author_of?, ultimate_parent)
   end
-  
+
   def moderated_commenting_enabled?
     parent.respond_to?(:moderated_commenting_enabled?) && parent.moderated_commenting_enabled?
   end