dmails_controller.rb: convert to strong params.

app/controllers/dmails_controller.rb

@@ -9,7 +9,7 @@ class DmailsController < ApplicationController
       check_privilege(parent)
       @dmail = parent.build_response(:forward => params[:forward])
     else
-      @dmail = Dmail.new(params[:dmail])
+      @dmail = Dmail.new(create_params)
     end
 
     respond_with(@dmail)
@@ -39,7 +39,7 @@ class DmailsController < ApplicationController
   end
 
   def create
-    @dmail = Dmail.create_split(params[:dmail].merge(:creator_ip_addr => request.remote_ip))
+    @dmail = Dmail.create_split(create_params)
     respond_with(@dmail)
   end
 
@@ -66,4 +66,8 @@ private
       raise User::PrivilegeError
     end
   end
+
+  def create_params
+    params.fetch(:dmail, {}).permit(:title, :body, :to_name, :to_id)
+  end
 end

app/models/dmail.rb

@@ -2,7 +2,6 @@ require 'digest/sha1'
 
 class Dmail < ActiveRecord::Base
   with_options on: :create do
-    before_validation :initialize_from_id
     validates_presence_of :to_id
     validates_presence_of :from_id
     validates_format_of :title, :with => /\S/
@@ -13,10 +12,11 @@ class Dmail < ActiveRecord::Base
   belongs_to :owner, :class_name => "User"
   belongs_to :to, :class_name => "User"
   belongs_to :from, :class_name => "User"
+
+  after_initialize :initialize_attributes, if: :new_record?
   before_create :auto_read_if_filtered
   after_create :update_recipient
   after_create :send_dmail
-  attr_accessible :title, :body, :is_deleted, :to_id, :to, :to_name, :creator_ip_addr
 
   module AddressMethods
     def to_name
@@ -31,8 +31,9 @@ class Dmail < ActiveRecord::Base
       self.to_id = User.name_to_id(name)
     end
 
-    def initialize_from_id
-      self.from_id = CurrentUser.id
+    def initialize_attributes
+      self.from_id ||= CurrentUser.id
+      self.creator_ip_addr ||= CurrentUser.ip_addr
     end
   end