On branch strong-params

Your branch is behind 'origin/strong-params' by 1 commit, and can be fast-forwarded.

I'll pull to catch up after this commit
Change code to whitelist params
Remove attr_accessible lines
Add strong_params to Gemfile, since this branch is still on Rails 3
Mixin to ActiveRecord::Base ActiveModel::ForbiddenAttributesProtection
Use an initializer for the mixin

app/controllers/messages_controller.rb

@@ -33,4 +33,10 @@ class MessagesController < ApplicationController
       end
     end
   end
-end
+
+  private
+
+  def message_params
+    params.require(:message).permit(:creator_id, :message, :read, :receiver_id)
+  end
+end

app/controllers/schedule_controller.rb

@@ -4,7 +4,7 @@ class ScheduleController < ApplicationController
     message = false
 
       if params[:schedule][:event_type] == "pto"
-        sched = Schedule.new(params[:schedule])
+        sched = Schedule.new(schedule_params)
         sched.date_begin, sched.date_end = format_schedule_date(params[:date_range1])
         sched.user_id = current_user.user_id
         a = sched.date_end
@@ -56,4 +56,10 @@ class ScheduleController < ApplicationController
    end
      return vals
   end
+
+  private
+
+  def schedule_params
+    params.require(:schedule).permit(:date_begin, :date_end, :event_desc, :event_name, :event_type)
+  end
 end

app/controllers/users_controller.rb

@@ -7,7 +7,7 @@ class UsersController < ApplicationController
   end
 
   def create
-    user = User.new(params[:user])
+    user = User.new(user_params)
     user.build_benefits_data
     if user.save
       session[:user_id] = user.user_id
@@ -35,7 +35,7 @@ class UsersController < ApplicationController
     if user
       user.skip_user_id_assign = true
       user.skip_hash_password = true
-      user.update_attributes(params[:user].reject { |k| %w(password password_confirmation user_id).include? k })
+      user.update_attributes(user_params_without_password)
       if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation])
         user.skip_hash_password = false
         user.password = params[:user][:password]
@@ -50,4 +50,15 @@ class UsersController < ApplicationController
       redirect_to user_account_settings_path(:user_id => current_user.user_id)
     end
   end
+
+  private
+
+  def user_params
+    params.require(:user).permit(:email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation)
+  end
+
+  # unpermitted attributes are ignored in production
+  def user_params_without_password
+    params.require(:user).permit(:email, :admin, :first_name, :last_name)
+  end
 end