On branch strong-params

Your branch is behind 'origin/strong-params' by 1 commit, and can be fast-forwarded. I'll pull to catch up after this commit Change code to whitelist params Remove attr_accessible lines Add strong_params to Gemfile, since this branch is still on Rails 3 Mixin to ActiveRecord::Base ActiveModel::ForbiddenAttributesProtection Use an initializer for the mixin
2014-12-05 15:04:01 -05:00
parent b4a1ad46c4
commit ea8e9901f4
19 changed files with 65 additions and 179 deletions
@@ -10,3 +10,4 @@
 coverage
 .tags
 /.vagrant
+/vendor/ruby
@@ -1,7 +1,7 @@
 source 'https://rubygems.org'

 #don't upgrade
-gem 'rails', '3.2.20'
+gem 'rails', '3.2.21'

 ruby '2.1.5'

@@ -56,6 +56,9 @@ end

 gem 'jquery-rails'

+## strong parameters in Rails 3 (see rails gem above)
+gem 'strong_parameters'
+
 # To use ActiveModel has_secure_password
 gem 'bcrypt'

@@ -1,12 +1,12 @@
 GEM
  remote: https://rubygems.org/
  specs:
-    actionmailer (3.2.20)
-      actionpack (= 3.2.20)
+    actionmailer (3.2.21)
+      actionpack (= 3.2.21)
      mail (~> 2.5.4)
-    actionpack (3.2.20)
-      activemodel (= 3.2.20)
-      activesupport (= 3.2.20)
+    actionpack (3.2.21)
+      activemodel (= 3.2.21)
+      activesupport (= 3.2.21)
      builder (~> 3.0.0)
      erubis (~> 2.7.0)
      journey (~> 1.0.4)
@@ -14,18 +14,18 @@ GEM
      rack-cache (~> 1.2)
      rack-test (~> 0.6.1)
      sprockets (~> 2.2.1)
-    activemodel (3.2.20)
-      activesupport (= 3.2.20)
+    activemodel (3.2.21)
+      activesupport (= 3.2.21)
      builder (~> 3.0.0)
-    activerecord (3.2.20)
-      activemodel (= 3.2.20)
-      activesupport (= 3.2.20)
+    activerecord (3.2.21)
+      activemodel (= 3.2.21)
+      activesupport (= 3.2.21)
      arel (~> 3.0.2)
      tzinfo (~> 0.3.29)
-    activeresource (3.2.20)
-      activemodel (= 3.2.20)
-      activesupport (= 3.2.20)
-    activesupport (3.2.20)
+    activeresource (3.2.21)
+      activemodel (= 3.2.21)
+      activesupport (= 3.2.21)
+    activesupport (3.2.21)
      i18n (~> 0.6, >= 0.6.4)
      multi_json (~> 1.0)
    addressable (2.3.6)
@@ -193,17 +193,17 @@ GEM
      rack
    rack-test (0.6.2)
      rack (>= 1.0)
-    rails (3.2.20)
-      actionmailer (= 3.2.20)
-      actionpack (= 3.2.20)
-      activerecord (= 3.2.20)
-      activeresource (= 3.2.20)
-      activesupport (= 3.2.20)
+    rails (3.2.21)
+      actionmailer (= 3.2.21)
+      actionpack (= 3.2.21)
+      activerecord (= 3.2.21)
+      activeresource (= 3.2.21)
+      activesupport (= 3.2.21)
      bundler (~> 1.0)
-      railties (= 3.2.20)
-    railties (3.2.20)
-      actionpack (= 3.2.20)
-      activesupport (= 3.2.20)
+      railties (= 3.2.21)
+    railties (3.2.21)
+      actionpack (= 3.2.21)
+      activesupport (= 3.2.21)
      rack-ssl (~> 1.3.2)
      rake (>= 0.8.7)
      rdoc (~> 3.4)
@@ -265,6 +265,11 @@ GEM
      rack (~> 1.0)
      tilt (~> 1.1, != 1.3.0)
    sqlite3 (1.3.10)
+    strong_parameters (0.2.3)
+      actionpack (~> 3.0)
+      activemodel (~> 3.0)
+      activesupport (~> 3.0)
+      railties (~> 3.0)
    temple (0.6.10)
    terminal-table (1.4.5)
    therubyracer (0.12.1)
@@ -282,140 +287,6 @@ GEM
      json
    treetop (1.4.15)
      polyglot
-      polyglot
-      polyglot
-      polyglot
-      polyglot
-      polyglot
-      polyglot
-      polyglot
-      polyglot
-      polyglot
-      polyglot
-      polyglot
-      polyglot
-      polyglot
-      polyglot
-      polyglot
-      polyglot
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
-      polyglot (>= 0.3.1)
      polyglot (>= 0.3.1)
    trollop (2.0)
    tzinfo (0.3.42)
@@ -459,12 +330,13 @@ DEPENDENCIES
  powder
  pry
  rack-livereload
-  rails (= 3.2.20)
+  rails (= 3.2.21)
  rb-fsevent
  rspec-rails (= 2.14.2)
  sass-rails
  simplecov
  sqlite3
+  strong_parameters
  therubyracer
  travis-lint
  uglifier
@@ -33,4 +33,10 @@ class MessagesController < ApplicationController
      end
    end
  end
-end
+
+  private
+
+  def message_params
+    params.require(:message).permit(:creator_id, :message, :read, :receiver_id)
+  end
+end
@@ -4,7 +4,7 @@ class ScheduleController < ApplicationController
    message = false

      if params[:schedule][:event_type] == "pto"
-        sched = Schedule.new(params[:schedule])
+        sched = Schedule.new(schedule_params)
        sched.date_begin, sched.date_end = format_schedule_date(params[:date_range1])
        sched.user_id = current_user.user_id
        a = sched.date_end
@@ -56,4 +56,10 @@ class ScheduleController < ApplicationController
   end
     return vals
  end
+
+  private
+
+  def schedule_params
+    params.require(:schedule).permit(:date_begin, :date_end, :event_desc, :event_name, :event_type)
+  end
 end
@@ -7,7 +7,7 @@ class UsersController < ApplicationController
  end

  def create
-    user = User.new(params[:user])
+    user = User.new(user_params)
    user.build_benefits_data
    if user.save
      session[:user_id] = user.user_id
@@ -35,7 +35,7 @@ class UsersController < ApplicationController
    if user
      user.skip_user_id_assign = true
      user.skip_hash_password = true
-      user.update_attributes(params[:user].reject { |k| %w(password password_confirmation user_id).include? k })
+      user.update_attributes(user_params_without_password)
      if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation])
        user.skip_hash_password = false
        user.password = params[:user][:password]
@@ -50,4 +50,15 @@ class UsersController < ApplicationController
      redirect_to user_account_settings_path(:user_id => current_user.user_id)
    end
  end
+
+  private
+
+  def user_params
+    params.require(:user).permit(:email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation)
+  end
+
+  # unpermitted attributes are ignored in production
+  def user_params_without_password
+    params.require(:user).permit(:email, :admin, :first_name, :last_name)
+  end
 end
@@ -1,6 +1,4 @@
 class Analytics < ActiveRecord::Base
-  attr_accessible :ip_address, :referrer, :user_agent
-
  scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where(:ip_address => ip).order("id DESC")}

  def self.count_by_col(col)
@@ -1,5 +1,4 @@
 class Benefits < ActiveRecord::Base
-  attr_accessor :backup

  def self.save(file, backup=false)
    data_path = Rails.root.join("public", "data")
@@ -1,5 +1,4 @@
 class KeyManagement < ActiveRecord::Base
-  attr_accessible :iv, :user_id
  belongs_to :work_info
  belongs_to :user
 end
@@ -1,6 +1,5 @@
 class Message < ActiveRecord::Base
  belongs_to :user
-  attr_accessible :creator_id, :message, :read, :receiver_id
  validates_presence_of :creator_id, :receiver_id, :message

  def creator_name
@@ -1,5 +1,4 @@
 class PaidTimeOff < ActiveRecord::Base
-  attr_accessible :pto_earned, :pto_taken, :sick_days_earned, :sick_days_taken
  belongs_to :user
  has_many :schedule, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy

@@ -1,7 +1,4 @@
 class Pay < ActiveRecord::Base
-  # mass-assignable attributes
-  attr_accessible :bank_account_num, :bank_routing_num, :percent_of_deposit
-
  # Associations
  belongs_to :user

@@ -1,5 +1,4 @@
 class Performance < ActiveRecord::Base
-  attr_accessible :comments, :date_submitted, :reviewer, :score
  belongs_to :user

  def reviewer_name
@@ -1,4 +1,3 @@
 class Retirement < ActiveRecord::Base
-  attr_accessible :employee_contrib, :employer_contrib, :total
  belongs_to :user
 end
@@ -1,5 +1,4 @@
 class Schedule < ActiveRecord::Base
-  attr_accessible :date_begin, :date_end, :event_desc, :event_name, :event_type
  belongs_to :paid_time_off

  validates_presence_of :date_begin, :date_end, :event_desc, :event_name, :event_type
@@ -1,7 +1,6 @@
 require 'encryption'

 class User < ActiveRecord::Base
-  attr_accessible :email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation
  validates :password, :presence => true,
                       :confirmation => true,
                       :length => {:within => 6..40},
@@ -1,5 +1,4 @@
 class WorkInfo < ActiveRecord::Base
-  attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked
  belongs_to :user
  has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
  #before_save :encrypt_ssn
@@ -0,0 +1 @@
+ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.

-ActiveRecord::Schema.define(:version => 20140804171756) do
+ActiveRecord::Schema.define(:version => 20140408185601) do

  create_table "analytics", :force => true do |t|
    t.string   "ip_address"
				`@@ -0,0 +1 @@`
				`ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)`