diff --git a/app/controllers/projects/notes_controller.rb b/app/controllers/projects/notes_controller.rb
index 66cc1a3dec7aba4516310987dfc05267eb0b8e2a..2154b6ed2eb77e47b38da99b80e620eb8b6f7f0c 100644
--- a/app/controllers/projects/notes_controller.rb
+++ b/app/controllers/projects/notes_controller.rb
@@ -21,7 +21,7 @@ class Projects::NotesController < Projects::ApplicationController
   end
 
   def create
-    @note = Notes::CreateService.new(project, current_user, params[:note]).execute
+    @note = Notes::CreateService.new(project, current_user, note_params).execute
 
     respond_to do |format|
       format.json { render_note_json(@note) }
@@ -30,7 +30,7 @@ class Projects::NotesController < Projects::ApplicationController
   end
 
   def update
-    note.update_attributes(params[:note])
+    note.update_attributes(note_params)
     note.reset_events_cache
 
     respond_to do |format|
@@ -109,4 +109,11 @@ class Projects::NotesController < Projects::ApplicationController
   def authorize_admin_note!
     return access_denied! unless can?(current_user, :admin_note, note)
   end
+
+  def note_params
+    params.require(:note).permit(
+      :note, :noteable, :noteable_id, :noteable_type, :project_id,
+      :attachment, :line_code, :commit_id
+    )
+  end
 end
diff --git a/app/models/note.rb b/app/models/note.rb
index d17cddb0bd16ec15679c2663bde5eadbd570b1d0..436b75adc5eb7f6ef75ccd7422620fa719f2293d 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -25,8 +25,6 @@ class Note < ActiveRecord::Base
 
   default_value_for :system, false
 
-  #attr_accessible :note, :noteable, :noteable_id, :noteable_type, :project_id,
-                  #:attachment, :line_code, :commit_id
   attr_mentionable :note
 
   belongs_to :project