diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index f0040bf5e871c22a9577fed9452131101cd07ca2..85dce0db8f25410edb202505fb3c9ca5c7e05797 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -37,14 +37,14 @@ class Admin::UsersController < Admin::ApplicationController
end
def create
- admin = params[:user].delete("admin")
+ admin = user_params.delete("admin")
opts = {
force_random_password: true,
password_expires_at: Time.now
}
- @user = User.build_user(params[:user].merge(opts), as: :admin)
+ @user = User.build_user(user_params.merge(opts), as: :admin)
@user.admin = (admin && admin.to_i > 0)
@user.created_by_id = current_user.id
@user.generate_password
@@ -62,11 +62,11 @@ class Admin::UsersController < Admin::ApplicationController
end
def update
- admin = params[:user].delete("admin")
+ admin = user_params.delete("admin")
- if params[:user][:password].blank?
- params[:user].delete(:password)
- params[:user].delete(:password_confirmation)
+ if user_params[:password].blank?
+ user_params.delete(:password)
+ user_params.delete(:password_confirmation)
end
if admin.present?
@@ -74,7 +74,7 @@ class Admin::UsersController < Admin::ApplicationController
end
respond_to do |format|
- if user.update_attributes(params[:user], as: :admin)
+ if user.update_attributes(user_params, as: :admin)
user.confirm!
format.html { redirect_to [:admin, user], notice: 'User was successfully updated.' }
format.json { head :ok }
@@ -115,4 +115,13 @@ class Admin::UsersController < Admin::ApplicationController
def user
@user ||= User.find_by!(username: params[:id])
end
+
+ def user_params
+ params.require(:user).permit(
+ :email, :password, :password_confirmation, :remember_me, :bio, :name, :username,
+ :skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id, :force_random_password,
+ :extern_uid, :provider, :password_expires_at, :avatar, :hide_no_ssh_key,
+ :projects_limit, :can_create_group,
+ )
+ end
end
diff --git a/app/controllers/profiles/passwords_controller.rb b/app/controllers/profiles/passwords_controller.rb
index df6954554eac205789b64a0ec410ae7741b0592a..60617e4f8ae26a435f24fb44dc321b834386767a 100644
--- a/app/controllers/profiles/passwords_controller.rb
+++ b/app/controllers/profiles/passwords_controller.rb
@@ -11,8 +11,8 @@ class Profiles::PasswordsController < ApplicationController
end
def create
- new_password = params[:user][:password]
- new_password_confirmation = params[:user][:password_confirmation]
+ new_password = user_params[:password]
+ new_password_confirmation = user_params[:password_confirmation]
result = @user.update_attributes(
password: new_password,
@@ -31,11 +31,11 @@ class Profiles::PasswordsController < ApplicationController
end
def update
- password_attributes = params[:user].select do |key, value|
+ password_attributes = user_params.select do |key, value|
%w(password password_confirmation).include?(key.to_s)
end
- unless @user.valid_password?(params[:user][:current_password])
+ unless @user.valid_password?(user_params[:current_password])
redirect_to edit_profile_password_path, alert: 'You must provide a valid current password'
return
end
@@ -74,4 +74,8 @@ class Profiles::PasswordsController < ApplicationController
def authorize_change_password!
return render_404 if @user.ldap_user?
end
+
+ def user_params
+ params.require(:user).permit(:password, :password_confirmation)
+ end
end
diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb
index 9c9a129b26b4d9a0b102c182a098475a9e17b2c4..f7c9651d0502c31be033e7c407c658f475c35ace 100644
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -14,9 +14,9 @@ class ProfilesController < ApplicationController
end
def update
- params[:user].delete(:email) if @user.ldap_user?
+ user_params.delete(:email) if @user.ldap_user?
- if @user.update_attributes(params[:user])
+ if @user.update_attributes(user_params)
flash[:notice] = "Profile was successfully updated"
else
flash[:alert] = "Failed to update profile"
@@ -41,7 +41,7 @@ class ProfilesController < ApplicationController
end
def update_username
- @user.update_attributes(username: params[:user][:username])
+ @user.update_attributes(username: user_params[:username])
respond_to do |format|
format.js
@@ -57,4 +57,12 @@ class ProfilesController < ApplicationController
def authorize_change_username!
return render_404 unless @user.can_change_username?
end
+
+ def user_params
+ params.require(:user).permit(
+ :email, :password, :password_confirmation, :bio, :name, :username,
+ :skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id,
+ :avatar, :hide_no_ssh_key,
+ )
+ end
end
diff --git a/app/models/email.rb b/app/models/email.rb
index 9068c2b87b632fd2645a20e315fa3fcb504ef748..57f476bd519124244d92de88f3192b66bf4e2e58 100644
--- a/app/models/email.rb
+++ b/app/models/email.rb
@@ -10,16 +10,8 @@
#
class Email < ActiveRecord::Base
- attr_accessible :email, :user_id
-
- #
- # Relations
- #
belongs_to :user
- #
- # Validations
- #
validates :user_id, presence: true
validates :email, presence: true, email: { strict_mode: true }, uniqueness: true
validate :unique_email, if: ->(email) { email.email_changed? }
diff --git a/app/models/event.rb b/app/models/event.rb
index 1a8d55c54b400d2059df441f4356246d19267cd5..487ea7666e5760f6f8d5ac0a1a11acbcf538a6cf 100644
--- a/app/models/event.rb
+++ b/app/models/event.rb
@@ -15,8 +15,8 @@
#
class Event < ActiveRecord::Base
- attr_accessible :project, :action, :data, :author_id, :project_id,
- :target_id, :target_type
+ #attr_accessible :project, :action, :data, :author_id, :project_id,
+ #:target_id, :target_type
default_scope { where.not(author_id: nil) }
diff --git a/app/models/group.rb b/app/models/group.rb
index e51e19ab60ca3a24b0b1c515fd1101466a54e409..671b5611a71abb1e909dacda3bc9327657bda0b4 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -20,7 +20,7 @@ class Group < Namespace
has_many :users_groups, dependent: :destroy
has_many :users, through: :users_groups
- attr_accessible :avatar
+ #attr_accessible :avatar
validate :avatar_type, if: ->(user) { user.avatar_changed? }
validates :avatar, file_size: { maximum: 100.kilobytes.to_i }
diff --git a/app/models/namespace.rb b/app/models/namespace.rb
index 446e5f04c63188db00d55bbca1ab04eb3048f7c4..524fd9e0c4cf6c782380805fcb659832aa371d4c 100644
--- a/app/models/namespace.rb
+++ b/app/models/namespace.rb
@@ -16,7 +16,7 @@
class Namespace < ActiveRecord::Base
include Gitlab::ShellAdapter
- attr_accessible :name, :description, :path
+ #attr_accessible :name, :description, :path
has_many :projects, dependent: :destroy
belongs_to :owner, class_name: "User"
diff --git a/app/models/note.rb b/app/models/note.rb
index 94d45aa43db233dd14bd162d633d0e75ca88e423..d17cddb0bd16ec15679c2663bde5eadbd570b1d0 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -25,8 +25,8 @@ class Note < ActiveRecord::Base
default_value_for :system, false
- attr_accessible :note, :noteable, :noteable_id, :noteable_type, :project_id,
- :attachment, :line_code, :commit_id
+ #attr_accessible :note, :noteable, :noteable_id, :noteable_type, :project_id,
+ #:attachment, :line_code, :commit_id
attr_mentionable :note
belongs_to :project
diff --git a/app/models/project_hook.rb b/app/models/project_hook.rb
index 6db6767a88dec485668af96ba349d1f02aed875b..ffede4c7025673c60d8e062c9f46a8c6c80ee9cf 100644
--- a/app/models/project_hook.rb
+++ b/app/models/project_hook.rb
@@ -18,7 +18,7 @@
class ProjectHook < WebHook
belongs_to :project
- attr_accessible :push_events, :issues_events, :merge_requests_events, :tag_push_events
+ #attr_accessible :push_events, :issues_events, :merge_requests_events, :tag_push_events
scope :push_hooks, -> { where(push_events: true) }
scope :tag_push_hooks, -> { where(tag_push_events: true) }
diff --git a/app/models/snippet.rb b/app/models/snippet.rb
index 9e4409daa1a9d7c5bfba4ed5dc3310bbadd480f6..958697f70cd0b40fde4bc148fe8d150f4d5b66f9 100644
--- a/app/models/snippet.rb
+++ b/app/models/snippet.rb
@@ -18,7 +18,7 @@
class Snippet < ActiveRecord::Base
include Linguist::BlobHelper
- attr_accessible :title, :content, :file_name, :expires_at, :private
+ #attr_accessible :title, :content, :file_name, :expires_at, :private
default_value_for :private, true
diff --git a/app/models/user.rb b/app/models/user.rb
index 63d819a0f36a1ede03a66410b769dd45cf1d416e..6ce57f086bc10277da2b90b16fc7a531c1b4ee49 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -58,23 +58,11 @@ class User < ActiveRecord::Base
devise :database_authenticatable, :token_authenticatable, :lockable, :async,
:recoverable, :rememberable, :trackable, :validatable, :omniauthable, :confirmable, :registerable
- attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, :name, :username,
- :skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id, :force_random_password,
- :extern_uid, :provider, :password_expires_at, :avatar, :hide_no_ssh_key,
- as: [:default, :admin]
-
- attr_accessible :projects_limit, :can_create_group,
- as: :admin
-
attr_accessor :force_random_password
# Virtual attribute for authenticating by either username or email
attr_accessor :login
- # Add login to attr_accessible
- attr_accessible :login
-
-
#
# Relations
#
diff --git a/app/models/users_project.rb b/app/models/users_project.rb
index 6495bed4e6177b00e0053875cfc6621fd07447f0..409282ec818b6200e009e0990f20e67e19a884ad 100644
--- a/app/models/users_project.rb
+++ b/app/models/users_project.rb
@@ -16,7 +16,7 @@ class UsersProject < ActiveRecord::Base
include Notifiable
include Gitlab::Access
- attr_accessible :user, :user_id, :project_access
+ #attr_accessible :user, :user_id, :project_access
belongs_to :user
belongs_to :project
diff --git a/app/models/web_hook.rb b/app/models/web_hook.rb
index 76854da5c383310dc0f14c53227d09206cbbbb3a..7a48dcdc2727ed1f5e9c8c85a7597e9d95f4070c 100644
--- a/app/models/web_hook.rb
+++ b/app/models/web_hook.rb
@@ -22,7 +22,7 @@ class WebHook < ActiveRecord::Base
default_value_for :issues_events, false
default_value_for :merge_requests_events, false
- attr_accessible :url
+ #attr_accessible :url
# HTTParty timeout
default_timeout 10