From 1400f64338a27966d225d15c69040298931808a5 Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Thu, 23 Feb 2017 20:01:32 -0600
Subject: [PATCH] dmails_controller.rb: convert to strong params.

---
 app/controllers/dmails_controller.rb | 8 ++++++--
 app/models/dmail.rb                  | 9 +++++----
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/app/controllers/dmails_controller.rb b/app/controllers/dmails_controller.rb
index de6619fc7..97e19a1d7 100644
--- a/app/controllers/dmails_controller.rb
+++ b/app/controllers/dmails_controller.rb
@@ -9,7 +9,7 @@ class DmailsController < ApplicationController
       check_privilege(parent)
       @dmail = parent.build_response(:forward => params[:forward])
     else
-      @dmail = Dmail.new(params[:dmail])
+      @dmail = Dmail.new(create_params)
     end
 
     respond_with(@dmail)
@@ -39,7 +39,7 @@ class DmailsController < ApplicationController
   end
 
   def create
-    @dmail = Dmail.create_split(params[:dmail].merge(:creator_ip_addr => request.remote_ip))
+    @dmail = Dmail.create_split(create_params)
     respond_with(@dmail)
   end
 
@@ -66,4 +66,8 @@ private
       raise User::PrivilegeError
     end
   end
+
+  def create_params
+    params.fetch(:dmail, {}).permit(:title, :body, :to_name, :to_id)
+  end
 end
diff --git a/app/models/dmail.rb b/app/models/dmail.rb
index b60b207f5..dba81634d 100644
--- a/app/models/dmail.rb
+++ b/app/models/dmail.rb
@@ -2,7 +2,6 @@ require 'digest/sha1'
 
 class Dmail < ActiveRecord::Base
   with_options on: :create do
-    before_validation :initialize_from_id
     validates_presence_of :to_id
     validates_presence_of :from_id
     validates_format_of :title, :with => /\S/
@@ -13,10 +12,11 @@ class Dmail < ActiveRecord::Base
   belongs_to :owner, :class_name => "User"
   belongs_to :to, :class_name => "User"
   belongs_to :from, :class_name => "User"
+
+  after_initialize :initialize_attributes, if: :new_record?
   before_create :auto_read_if_filtered
   after_create :update_recipient
   after_create :send_dmail
-  attr_accessible :title, :body, :is_deleted, :to_id, :to, :to_name, :creator_ip_addr
 
   module AddressMethods
     def to_name
@@ -31,8 +31,9 @@ class Dmail < ActiveRecord::Base
       self.to_id = User.name_to_id(name)
     end
 
-    def initialize_from_id
-      self.from_id = CurrentUser.id
+    def initialize_attributes
+      self.from_id ||= CurrentUser.id
+      self.creator_ip_addr ||= CurrentUser.ip_addr
     end
   end