User model to strong params. Comment other attr_accessible to let tests run

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

User model to strong params. Comment other attr_accessible to let tests run
98ba075c · Dmitriy Zaporozhets · 3a21c904 · 98ba075c · 98ba075c · 98ba075c
Unverified Commit 98ba075c authored Jun 26, 2014 by Dmitriy Zaporozhets
13 changed files
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -37,14 +37,14 @@ class Admin::UsersController < Admin::ApplicationController
  end

  def create
-    admin = params[:user].delete("admin")
+    admin = user_params.delete("admin")

    opts = {
      force_random_password: true,
      password_expires_at: Time.now
    }

-    @user = User.build_user(params[:user].merge(opts), as: :admin)
+    @user = User.build_user(user_params.merge(opts), as: :admin)
    @user.admin = (admin && admin.to_i > 0)
    @user.created_by_id = current_user.id
    @user.generate_password
@@ -62,11 +62,11 @@ class Admin::UsersController < Admin::ApplicationController
  end

  def update
-    admin = params[:user].delete("admin")
+    admin = user_params.delete("admin")

-    if params[:user][:password].blank?
-      params[:user].delete(:password)
-      params[:user].delete(:password_confirmation)
+    if user_params[:password].blank?
+      user_params.delete(:password)
+      user_params.delete(:password_confirmation)
    end

    if admin.present?
@@ -74,7 +74,7 @@ class Admin::UsersController < Admin::ApplicationController
    end

    respond_to do |format|
-      if user.update_attributes(params[:user], as: :admin)
+      if user.update_attributes(user_params, as: :admin)
        user.confirm!
        format.html { redirect_to [:admin, user], notice: 'User was successfully updated.' }
        format.json { head :ok }
@@ -115,4 +115,13 @@ class Admin::UsersController < Admin::ApplicationController
  def user
    @user ||= User.find_by!(username: params[:id])
  end
+
+  def user_params
+    params.require(:user).permit(
+      :email, :password, :password_confirmation, :remember_me, :bio, :name, :username,
+      :skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id, :force_random_password,
+      :extern_uid, :provider, :password_expires_at, :avatar, :hide_no_ssh_key,
+      :projects_limit, :can_create_group,
+    )
+  end
 end
--- a/app/controllers/profiles/passwords_controller.rb
+++ b/app/controllers/profiles/passwords_controller.rb
@@ -11,8 +11,8 @@ class Profiles::PasswordsController < ApplicationController
  end

  def create
-    new_password = params[:user][:password]
-    new_password_confirmation = params[:user][:password_confirmation]
+    new_password = user_params[:password]
+    new_password_confirmation = user_params[:password_confirmation]

    result = @user.update_attributes(
      password: new_password,
@@ -31,11 +31,11 @@ class Profiles::PasswordsController < ApplicationController
  end

  def update
-    password_attributes = params[:user].select do |key, value|
+    password_attributes = user_params.select do |key, value|
      %w(password password_confirmation).include?(key.to_s)
    end

-    unless @user.valid_password?(params[:user][:current_password])
+    unless @user.valid_password?(user_params[:current_password])
      redirect_to edit_profile_password_path, alert: 'You must provide a valid current password'
      return
    end
@@ -74,4 +74,8 @@ class Profiles::PasswordsController < ApplicationController
  def authorize_change_password!
    return render_404 if @user.ldap_user?
  end
+
+  def user_params
+    params.require(:user).permit(:password, :password_confirmation)
+  end
 end
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -14,9 +14,9 @@ class ProfilesController < ApplicationController
  end

  def update
-    params[:user].delete(:email) if @user.ldap_user?
+    user_params.delete(:email) if @user.ldap_user?

-    if @user.update_attributes(params[:user])
+    if @user.update_attributes(user_params)
      flash[:notice] = "Profile was successfully updated"
    else
      flash[:alert] = "Failed to update profile"
@@ -41,7 +41,7 @@ class ProfilesController < ApplicationController
  end

  def update_username
-    @user.update_attributes(username: params[:user][:username])
+    @user.update_attributes(username: user_params[:username])

    respond_to do |format|
      format.js
@@ -57,4 +57,12 @@ class ProfilesController < ApplicationController
  def authorize_change_username!
    return render_404 unless @user.can_change_username?
  end
+
+  def user_params
+    params.require(:user).permit(
+      :email, :password, :password_confirmation, :bio, :name, :username,
+      :skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id,
+      :avatar, :hide_no_ssh_key,
+    )
+  end
 end
--- a/app/models/email.rb
+++ b/app/models/email.rb
@@ -10,16 +10,8 @@
 #

 class Email < ActiveRecord::Base
-  attr_accessible :email, :user_id
-
-  #
-  # Relations
-  #
  belongs_to :user

-  #
-  # Validations
-  #
  validates :user_id, presence: true
  validates :email, presence: true, email: { strict_mode: true }, uniqueness: true
  validate :unique_email, if: ->(email) { email.email_changed? }

--- a/app/models/event.rb
+++ b/app/models/event.rb
@@ -15,8 +15,8 @@
 #

 class Event < ActiveRecord::Base
-  attr_accessible :project, :action, :data, :author_id, :project_id,
-                  :target_id, :target_type
+  #attr_accessible :project, :action, :data, :author_id, :project_id,
+                  #:target_id, :target_type

  default_scope { where.not(author_id: nil) }


--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -20,7 +20,7 @@ class Group < Namespace
  has_many :users_groups, dependent: :destroy
  has_many :users, through: :users_groups

-  attr_accessible :avatar
+  #attr_accessible :avatar

  validate :avatar_type, if: ->(user) { user.avatar_changed? }
  validates :avatar, file_size: { maximum: 100.kilobytes.to_i }

--- a/app/models/namespace.rb
+++ b/app/models/namespace.rb
@@ -16,7 +16,7 @@
 class Namespace < ActiveRecord::Base
  include Gitlab::ShellAdapter

-  attr_accessible :name, :description, :path
+  #attr_accessible :name, :description, :path

  has_many :projects, dependent: :destroy
  belongs_to :owner, class_name: "User"

--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -25,8 +25,8 @@ class Note < ActiveRecord::Base

  default_value_for :system, false

-  attr_accessible :note, :noteable, :noteable_id, :noteable_type, :project_id,
-                  :attachment, :line_code, :commit_id
+  #attr_accessible :note, :noteable, :noteable_id, :noteable_type, :project_id,
+                  #:attachment, :line_code, :commit_id
  attr_mentionable :note

  belongs_to :project

--- a/app/models/project_hook.rb
+++ b/app/models/project_hook.rb
@@ -18,7 +18,7 @@
 class ProjectHook < WebHook
  belongs_to :project

-  attr_accessible :push_events, :issues_events, :merge_requests_events, :tag_push_events
+  #attr_accessible :push_events, :issues_events, :merge_requests_events, :tag_push_events

  scope :push_hooks, -> { where(push_events: true) }
  scope :tag_push_hooks, -> { where(tag_push_events: true) }

--- a/app/models/snippet.rb
+++ b/app/models/snippet.rb
@@ -18,7 +18,7 @@
 class Snippet < ActiveRecord::Base
  include Linguist::BlobHelper

-  attr_accessible :title, :content, :file_name, :expires_at, :private
+  #attr_accessible :title, :content, :file_name, :expires_at, :private

  default_value_for :private, true


--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -58,23 +58,11 @@ class User < ActiveRecord::Base
  devise :database_authenticatable, :token_authenticatable, :lockable, :async,
         :recoverable, :rememberable, :trackable, :validatable, :omniauthable, :confirmable, :registerable

-  attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, :name, :username,
-                  :skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id, :force_random_password,
-                  :extern_uid, :provider, :password_expires_at, :avatar, :hide_no_ssh_key,
-                  as: [:default, :admin]
-
-  attr_accessible :projects_limit, :can_create_group,
-                  as: :admin
-
  attr_accessor :force_random_password

  # Virtual attribute for authenticating by either username or email
  attr_accessor :login

-  # Add login to attr_accessible
-  attr_accessible :login
-
-
  #
  # Relations
  #

--- a/app/models/users_project.rb
+++ b/app/models/users_project.rb
@@ -16,7 +16,7 @@ class UsersProject < ActiveRecord::Base
  include Notifiable
  include Gitlab::Access

-  attr_accessible :user, :user_id, :project_access
+  #attr_accessible :user, :user_id, :project_access

  belongs_to :user
  belongs_to :project

--- a/app/models/web_hook.rb
+++ b/app/models/web_hook.rb
@@ -22,7 +22,7 @@ class WebHook < ActiveRecord::Base
  default_value_for :issues_events, false
  default_value_for :merge_requests_events, false

-  attr_accessible :url
+  #attr_accessible :url

  # HTTParty timeout
  default_timeout 10