Note strong_params

Signed-off-by: N Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Note strong_params
Signed-off-by: N Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
16a0a4ae · Dmitriy Zaporozhets · 98ba075c · 16a0a4ae · 16a0a4ae
隐藏空白更改
内联并排

Showing with 9 addition and 4 deletion

app/controllers/projects/notes_controller.rb app/controllers/projects/notes_controller.rb +9 -2

app/models/note.rb app/models/note.rb +0 -2

未找到文件。
--- a/app/controllers/projects/notes_controller.rb
+++ b/app/controllers/projects/notes_controller.rb
@@ -21,7 +21,7 @@ class Projects::NotesController < Projects::ApplicationController
  end

  def create
-    @note = Notes::CreateService.new(project, current_user, params[:note]).execute
+    @note = Notes::CreateService.new(project, current_user, note_params).execute

    respond_to do |format|
      format.json { render_note_json(@note) }
@@ -30,7 +30,7 @@ class Projects::NotesController < Projects::ApplicationController
  end

  def update
-    note.update_attributes(params[:note])
+    note.update_attributes(note_params)
    note.reset_events_cache

    respond_to do |format|
@@ -109,4 +109,11 @@ class Projects::NotesController < Projects::ApplicationController
  def authorize_admin_note!
    return access_denied! unless can?(current_user, :admin_note, note)
  end
+
+  def note_params
+    params.require(:note).permit(
+      :note, :noteable, :noteable_id, :noteable_type, :project_id,
+      :attachment, :line_code, :commit_id
+    )
+  end
 end
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -25,8 +25,6 @@ class Note < ActiveRecord::Base

  default_value_for :system, false

-  #attr_accessible :note, :noteable, :noteable_id, :noteable_type, :project_id,
-                  #:attachment, :line_code, :commit_id
  attr_mentionable :note

  belongs_to :project