From 16a0a4aeccbd2fd2998262eb9cba7bb45b1b7f80 Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Thu, 26 Jun 2014 16:49:22 +0300 Subject: [PATCH] Note strong_params Signed-off-by: Dmitriy Zaporozhets --- app/controllers/projects/notes_controller.rb | 11 +++++++++-- app/models/note.rb | 2 -- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/app/controllers/projects/notes_controller.rb b/app/controllers/projects/notes_controller.rb index 66cc1a3dec7..2154b6ed2eb 100644 --- a/app/controllers/projects/notes_controller.rb +++ b/app/controllers/projects/notes_controller.rb @@ -21,7 +21,7 @@ class Projects::NotesController < Projects::ApplicationController end def create - @note = Notes::CreateService.new(project, current_user, params[:note]).execute + @note = Notes::CreateService.new(project, current_user, note_params).execute respond_to do |format| format.json { render_note_json(@note) } @@ -30,7 +30,7 @@ class Projects::NotesController < Projects::ApplicationController end def update - note.update_attributes(params[:note]) + note.update_attributes(note_params) note.reset_events_cache respond_to do |format| @@ -109,4 +109,11 @@ class Projects::NotesController < Projects::ApplicationController def authorize_admin_note! return access_denied! unless can?(current_user, :admin_note, note) end + + def note_params + params.require(:note).permit( + :note, :noteable, :noteable_id, :noteable_type, :project_id, + :attachment, :line_code, :commit_id + ) + end end diff --git a/app/models/note.rb b/app/models/note.rb index d17cddb0bd1..436b75adc5e 100644 --- a/app/models/note.rb +++ b/app/models/note.rb @@ -25,8 +25,6 @@ class Note < ActiveRecord::Base default_value_for :system, false - #attr_accessible :note, :noteable, :noteable_id, :noteable_type, :project_id, - #:attachment, :line_code, :commit_id attr_mentionable :note belongs_to :project -- GitLab