Fix mass assignment vuln to tag alias/implication status (2704).

app/controllers/tag_aliases_controller.rb

@@ -15,7 +15,7 @@ class TagAliasesController < ApplicationController
     @tag_alias = TagAlias.find(params[:id])
 
     if @tag_alias.is_pending? && @tag_alias.editable_by?(CurrentUser.user)
-      @tag_alias.update_attributes(params[:tag_alias])
+      @tag_alias.update_attributes(update_params)
     end
 
     respond_with(@tag_alias)
@@ -46,4 +46,10 @@ class TagAliasesController < ApplicationController
     @tag_alias.approve!(CurrentUser.user.id)
     respond_with(@tag_alias, :location => tag_alias_path(@tag_alias))
   end
+
+private
+
+  def update_params
+    params.require(:tag_alias).permit(:antecedent_name, :consequent_name, :forum_topic_id)
+  end
 end

app/controllers/tag_implications_controller.rb

@@ -15,7 +15,7 @@ class TagImplicationsController < ApplicationController
     @tag_implication = TagImplication.find(params[:id])
 
     if @tag_implication.is_pending? && @tag_implication.editable_by?(CurrentUser.user)
-      @tag_implication.update_attributes(params[:tag_implication])
+      @tag_implication.update_attributes(update_params)
     end
 
     respond_with(@tag_implication)
@@ -51,4 +51,10 @@ class TagImplicationsController < ApplicationController
     @tag_implication.approve!(CurrentUser.user.id)
     respond_with(@tag_implication, :location => tag_implication_path(@tag_implication))
   end
+
+private
+
+  def update_params
+    params.require(:tag_implication).permit(:antecedent_name, :consequent_name, :forum_topic_id)
+  end
 end