diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb index f0040bf5e87..85dce0db8f2 100644 --- a/app/controllers/admin/users_controller.rb +++ b/app/controllers/admin/users_controller.rb @@ -37,14 +37,14 @@ class Admin::UsersController < Admin::ApplicationController end def create - admin = params[:user].delete("admin") + admin = user_params.delete("admin") opts = { force_random_password: true, password_expires_at: Time.now } - @user = User.build_user(params[:user].merge(opts), as: :admin) + @user = User.build_user(user_params.merge(opts), as: :admin) @user.admin = (admin && admin.to_i > 0) @user.created_by_id = current_user.id @user.generate_password @@ -62,11 +62,11 @@ class Admin::UsersController < Admin::ApplicationController end def update - admin = params[:user].delete("admin") + admin = user_params.delete("admin") - if params[:user][:password].blank? - params[:user].delete(:password) - params[:user].delete(:password_confirmation) + if user_params[:password].blank? + user_params.delete(:password) + user_params.delete(:password_confirmation) end if admin.present? @@ -74,7 +74,7 @@ class Admin::UsersController < Admin::ApplicationController end respond_to do |format| - if user.update_attributes(params[:user], as: :admin) + if user.update_attributes(user_params, as: :admin) user.confirm! format.html { redirect_to [:admin, user], notice: 'User was successfully updated.' } format.json { head :ok } @@ -115,4 +115,13 @@ class Admin::UsersController < Admin::ApplicationController def user @user ||= User.find_by!(username: params[:id]) end + + def user_params + params.require(:user).permit( + :email, :password, :password_confirmation, :remember_me, :bio, :name, :username, + :skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id, :force_random_password, + :extern_uid, :provider, :password_expires_at, :avatar, :hide_no_ssh_key, + :projects_limit, :can_create_group, + ) + end end diff --git a/app/controllers/profiles/passwords_controller.rb b/app/controllers/profiles/passwords_controller.rb index df6954554ea..60617e4f8ae 100644 --- a/app/controllers/profiles/passwords_controller.rb +++ b/app/controllers/profiles/passwords_controller.rb @@ -11,8 +11,8 @@ class Profiles::PasswordsController < ApplicationController end def create - new_password = params[:user][:password] - new_password_confirmation = params[:user][:password_confirmation] + new_password = user_params[:password] + new_password_confirmation = user_params[:password_confirmation] result = @user.update_attributes( password: new_password, @@ -31,11 +31,11 @@ class Profiles::PasswordsController < ApplicationController end def update - password_attributes = params[:user].select do |key, value| + password_attributes = user_params.select do |key, value| %w(password password_confirmation).include?(key.to_s) end - unless @user.valid_password?(params[:user][:current_password]) + unless @user.valid_password?(user_params[:current_password]) redirect_to edit_profile_password_path, alert: 'You must provide a valid current password' return end @@ -74,4 +74,8 @@ class Profiles::PasswordsController < ApplicationController def authorize_change_password! return render_404 if @user.ldap_user? end + + def user_params + params.require(:user).permit(:password, :password_confirmation) + end end diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb index 9c9a129b26b..f7c9651d050 100644 --- a/app/controllers/profiles_controller.rb +++ b/app/controllers/profiles_controller.rb @@ -14,9 +14,9 @@ class ProfilesController < ApplicationController end def update - params[:user].delete(:email) if @user.ldap_user? + user_params.delete(:email) if @user.ldap_user? - if @user.update_attributes(params[:user]) + if @user.update_attributes(user_params) flash[:notice] = "Profile was successfully updated" else flash[:alert] = "Failed to update profile" @@ -41,7 +41,7 @@ class ProfilesController < ApplicationController end def update_username - @user.update_attributes(username: params[:user][:username]) + @user.update_attributes(username: user_params[:username]) respond_to do |format| format.js @@ -57,4 +57,12 @@ class ProfilesController < ApplicationController def authorize_change_username! return render_404 unless @user.can_change_username? end + + def user_params + params.require(:user).permit( + :email, :password, :password_confirmation, :bio, :name, :username, + :skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id, + :avatar, :hide_no_ssh_key, + ) + end end diff --git a/app/models/email.rb b/app/models/email.rb index 9068c2b87b6..57f476bd519 100644 --- a/app/models/email.rb +++ b/app/models/email.rb @@ -10,16 +10,8 @@ # class Email < ActiveRecord::Base - attr_accessible :email, :user_id - - # - # Relations - # belongs_to :user - # - # Validations - # validates :user_id, presence: true validates :email, presence: true, email: { strict_mode: true }, uniqueness: true validate :unique_email, if: ->(email) { email.email_changed? } diff --git a/app/models/event.rb b/app/models/event.rb index 1a8d55c54b4..487ea7666e5 100644 --- a/app/models/event.rb +++ b/app/models/event.rb @@ -15,8 +15,8 @@ # class Event < ActiveRecord::Base - attr_accessible :project, :action, :data, :author_id, :project_id, - :target_id, :target_type + #attr_accessible :project, :action, :data, :author_id, :project_id, + #:target_id, :target_type default_scope { where.not(author_id: nil) } diff --git a/app/models/group.rb b/app/models/group.rb index e51e19ab60c..671b5611a71 100644 --- a/app/models/group.rb +++ b/app/models/group.rb @@ -20,7 +20,7 @@ class Group < Namespace has_many :users_groups, dependent: :destroy has_many :users, through: :users_groups - attr_accessible :avatar + #attr_accessible :avatar validate :avatar_type, if: ->(user) { user.avatar_changed? } validates :avatar, file_size: { maximum: 100.kilobytes.to_i } diff --git a/app/models/namespace.rb b/app/models/namespace.rb index 446e5f04c63..524fd9e0c4c 100644 --- a/app/models/namespace.rb +++ b/app/models/namespace.rb @@ -16,7 +16,7 @@ class Namespace < ActiveRecord::Base include Gitlab::ShellAdapter - attr_accessible :name, :description, :path + #attr_accessible :name, :description, :path has_many :projects, dependent: :destroy belongs_to :owner, class_name: "User" diff --git a/app/models/note.rb b/app/models/note.rb index 94d45aa43db..d17cddb0bd1 100644 --- a/app/models/note.rb +++ b/app/models/note.rb @@ -25,8 +25,8 @@ class Note < ActiveRecord::Base default_value_for :system, false - attr_accessible :note, :noteable, :noteable_id, :noteable_type, :project_id, - :attachment, :line_code, :commit_id + #attr_accessible :note, :noteable, :noteable_id, :noteable_type, :project_id, + #:attachment, :line_code, :commit_id attr_mentionable :note belongs_to :project diff --git a/app/models/project_hook.rb b/app/models/project_hook.rb index 6db6767a88d..ffede4c7025 100644 --- a/app/models/project_hook.rb +++ b/app/models/project_hook.rb @@ -18,7 +18,7 @@ class ProjectHook < WebHook belongs_to :project - attr_accessible :push_events, :issues_events, :merge_requests_events, :tag_push_events + #attr_accessible :push_events, :issues_events, :merge_requests_events, :tag_push_events scope :push_hooks, -> { where(push_events: true) } scope :tag_push_hooks, -> { where(tag_push_events: true) } diff --git a/app/models/snippet.rb b/app/models/snippet.rb index 9e4409daa1a..958697f70cd 100644 --- a/app/models/snippet.rb +++ b/app/models/snippet.rb @@ -18,7 +18,7 @@ class Snippet < ActiveRecord::Base include Linguist::BlobHelper - attr_accessible :title, :content, :file_name, :expires_at, :private + #attr_accessible :title, :content, :file_name, :expires_at, :private default_value_for :private, true diff --git a/app/models/user.rb b/app/models/user.rb index 63d819a0f36..6ce57f086bc 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -58,23 +58,11 @@ class User < ActiveRecord::Base devise :database_authenticatable, :token_authenticatable, :lockable, :async, :recoverable, :rememberable, :trackable, :validatable, :omniauthable, :confirmable, :registerable - attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, :name, :username, - :skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id, :force_random_password, - :extern_uid, :provider, :password_expires_at, :avatar, :hide_no_ssh_key, - as: [:default, :admin] - - attr_accessible :projects_limit, :can_create_group, - as: :admin - attr_accessor :force_random_password # Virtual attribute for authenticating by either username or email attr_accessor :login - # Add login to attr_accessible - attr_accessible :login - - # # Relations # diff --git a/app/models/users_project.rb b/app/models/users_project.rb index 6495bed4e61..409282ec818 100644 --- a/app/models/users_project.rb +++ b/app/models/users_project.rb @@ -16,7 +16,7 @@ class UsersProject < ActiveRecord::Base include Notifiable include Gitlab::Access - attr_accessible :user, :user_id, :project_access + #attr_accessible :user, :user_id, :project_access belongs_to :user belongs_to :project diff --git a/app/models/web_hook.rb b/app/models/web_hook.rb index 76854da5c38..7a48dcdc272 100644 --- a/app/models/web_hook.rb +++ b/app/models/web_hook.rb @@ -22,7 +22,7 @@ class WebHook < ActiveRecord::Base default_value_for :issues_events, false default_value_for :merge_requests_events, false - attr_accessible :url + #attr_accessible :url # HTTParty timeout default_timeout 10