Merge branch 'strong-params' of https://github.com/jfnixon/railsgoat into jfnixon-strong-params

.gitignore

@@ -10,3 +10,4 @@
 coverage
 .tags
 /.vagrant
+/vendor/ruby

Gemfile

@@ -56,6 +56,9 @@ end
 
 gem 'jquery-rails'
 
+## strong parameters in Rails 3 (see rails gem above)
+gem 'strong_parameters'
+
 # To use ActiveModel has_secure_password
  gem 'bcrypt'
 

Gemfile.lock

@@ -267,6 +267,11 @@ GEM
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
     sqlite3 (1.3.10)
+    strong_parameters (0.2.3)
+      actionpack (~> 3.0)
+      activemodel (~> 3.0)
+      activesupport (~> 3.0)
+      railties (~> 3.0)
     temple (0.6.10)
     terminal-table (1.4.5)
     therubyracer (0.12.1)
@@ -335,6 +340,7 @@ DEPENDENCIES
   sass-rails
   simplecov
   sqlite3
+  strong_parameters
   therubyracer
   travis-lint
   uglifier

app/controllers/messages_controller.rb

@@ -33,4 +33,10 @@ class MessagesController < ApplicationController
       end
     end
   end
-end
+
+  private
+
+  def message_params
+    params.require(:message).permit(:creator_id, :message, :read, :receiver_id)
+  end
+end

app/controllers/schedule_controller.rb

@@ -4,7 +4,7 @@ class ScheduleController < ApplicationController
     message = false
 
       if params[:schedule][:event_type] == "pto"
-        sched = Schedule.new(params[:schedule])
+        sched = Schedule.new(schedule_params)
         sched.date_begin, sched.date_end = format_schedule_date(params[:date_range1])
         sched.user_id = current_user.user_id
         a = sched.date_end
@@ -56,4 +56,10 @@ class ScheduleController < ApplicationController
    end
      return vals
   end
+
+  private
+
+  def schedule_params
+    params.require(:schedule).permit(:date_begin, :date_end, :event_desc, :event_name, :event_type)
+  end
 end

app/controllers/users_controller.rb

@@ -7,7 +7,7 @@ class UsersController < ApplicationController
   end
 
   def create
-    user = User.new(params[:user])
+    user = User.new(user_params)
     user.build_benefits_data
     if user.save
       session[:user_id] = user.user_id
@@ -35,7 +35,7 @@ class UsersController < ApplicationController
     if user
       user.skip_user_id_assign = true
       user.skip_hash_password = true
-      user.update_attributes(params[:user].reject { |k| %w(password password_confirmation user_id).include? k })
+      user.update_attributes(user_params_without_password)
       if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation])
         user.skip_hash_password = false
         user.password = params[:user][:password]
@@ -50,4 +50,15 @@ class UsersController < ApplicationController
       redirect_to user_account_settings_path(:user_id => current_user.user_id)
     end
   end
+
+  private
+
+  def user_params
+    params.require(:user).permit(:email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation)
+  end
+
+  # unpermitted attributes are ignored in production
+  def user_params_without_password
+    params.require(:user).permit(:email, :admin, :first_name, :last_name)
+  end
 end

app/models/analytics.rb

@@ -1,6 +1,4 @@
 class Analytics < ActiveRecord::Base
-  attr_accessible :ip_address, :referrer, :user_agent
-
   scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where(:ip_address => ip).order("id DESC")}
 
   def self.count_by_col(col)

app/models/benefits.rb

@@ -1,5 +1,4 @@
 class Benefits < ActiveRecord::Base
-  attr_accessor :backup
 
   def self.save(file, backup=false)
     data_path = Rails.root.join("public", "data")

app/models/key_management.rb

@@ -1,5 +1,4 @@
 class KeyManagement < ActiveRecord::Base
-  attr_accessible :iv, :user_id
   belongs_to :work_info
   belongs_to :user
 end

app/models/message.rb

@@ -1,6 +1,5 @@
 class Message < ActiveRecord::Base
   belongs_to :user
-  attr_accessible :creator_id, :message, :read, :receiver_id
   validates_presence_of :creator_id, :receiver_id, :message
 
   def creator_name

app/models/paid_time_off.rb

@@ -1,5 +1,4 @@
 class PaidTimeOff < ActiveRecord::Base
-  attr_accessible :pto_earned, :pto_taken, :sick_days_earned, :sick_days_taken
   belongs_to :user
   has_many :schedule, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
 

app/models/pay.rb

@@ -1,7 +1,4 @@
 class Pay < ActiveRecord::Base
-  # mass-assignable attributes
-  attr_accessible :bank_account_num, :bank_routing_num, :percent_of_deposit
-
   # Associations
   belongs_to :user
 

app/models/performance.rb

@@ -1,5 +1,4 @@
 class Performance < ActiveRecord::Base
-  attr_accessible :comments, :date_submitted, :reviewer, :score
   belongs_to :user
 
   def reviewer_name

app/models/retirement.rb

@@ -1,4 +1,3 @@
 class Retirement < ActiveRecord::Base
-  attr_accessible :employee_contrib, :employer_contrib, :total
   belongs_to :user
 end

app/models/schedule.rb

@@ -1,5 +1,4 @@
 class Schedule < ActiveRecord::Base
-  attr_accessible :date_begin, :date_end, :event_desc, :event_name, :event_type
   belongs_to :paid_time_off
 
   validates_presence_of :date_begin, :date_end, :event_desc, :event_name, :event_type

app/models/user.rb

@@ -1,7 +1,6 @@
 require 'encryption'
 
 class User < ActiveRecord::Base
-  attr_accessible :email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation
   validates :password, :presence => true,
                        :confirmation => true,
                        :length => {:within => 6..40},

app/models/work_info.rb

@@ -1,5 +1,4 @@
 class WorkInfo < ActiveRecord::Base
-  attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked
   belongs_to :user
   has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
   #before_save :encrypt_ssn

config/initializers/strong_parameters.rb

@@ -0,0 +1 @@
+ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)

db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.
 
-ActiveRecord::Schema.define(:version => 20140804171756) do
+ActiveRecord::Schema.define(:version => 20140408185601) do
 
   create_table "analytics", :force => true do |t|
     t.string   "ip_address"