Use strong params on generated settings_controller

refinery · May 25, 2015 · 3e20028 · 3e20028
1 parent 5213243
commit 3e20028
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/...finery/form/templates/app/controllers/refinery/namespace/admin/settings_controller.rb.erb b/...finery/form/templates/app/controllers/refinery/namespace/admin/settings_controller.rb.erb
@@ -13,7 +13,7 @@ module Refinery
         def update
           @setting = Refinery::Setting.find(params[:id])
 
-          if @setting.update_attributes(params[:setting])
+          if @setting.update_attributes(setting_params)
             flash[:notice] = t('refinery.crudify.updated', :what => @setting.name.gsub("<%= singular_name %>_", "").titleize)
 
             if request.xhr? or from_dialog?
@@ -25,6 +25,11 @@ module Refinery
         end
 
       protected
+
+        def setting_params
+          params.require(:setting).permit(:value)
+        end
+
         def check_setting
           setting = params[:id].gsub("<%= singular_name %>_", "")