Fix mass assignment vuln in comment update action (#2704).

Prevents mass assignment of `post_id`, `do_not_bump_post`, and `is_deleted`.
2016-10-06 09:14:34 +00:00
parent ab5fd48280
commit 8c8f4a6a8f
2 changed files with 23 additions and 1 deletions
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -23,7 +23,7 @@ class CommentsController < ApplicationController
  def update
    @comment = Comment.find(params[:id])
    check_privilege(@comment)
-    @comment.update_attributes(params[:comment])
+    @comment.update_attributes(params[:comment].permit(:body))
    respond_with(@comment, :location => post_path(@comment.post_id))
  end