Raise error on unpermitted params.

Fail loudly if we forget to whitelist a param instead of silently ignoring it. misc models: convert to strong params. artist commentaries: convert to strong params. * Disallow changing or setting post_id to a nonexistent post. artists: convert to strong params. * Disallow setting `is_banned` in create/update actions. Changing it this way instead of with the ban/unban actions would leave the artist in a partially banned state. bans: convert to strong params. * Disallow changing the user_id after the ban has been created. comments: convert to strong params. favorite groups: convert to strong params. news updates: convert to strong params. post appeals: convert to strong params. post flags: convert to strong params. * Disallow users from setting the `is_deleted` / `is_resolved` flags. ip bans: convert to strong params. user feedbacks: convert to strong params. * Disallow users from setting `disable_dmail_notification` when creating feedbacks. * Disallow changing the user_id after the feedback has been created. notes: convert to strong params. wiki pages: convert to strong params. * Also fix non-Builders being able to delete wiki pages. saved searches: convert to strong params. pools: convert to strong params. * Disallow setting `post_count` or `is_deleted` in create/update actions. janitor trials: convert to strong params. post disapprovals: convert to strong params. * Factor out quick-mod bar to shared partial. * Fix quick-mod bar to use `Post#is_approvable?` to determine visibility of Approve button. dmail filters: convert to strong params. password resets: convert to strong params. user name change requests: convert to strong params. posts: convert to strong params. users: convert to strong params. * Disallow setting password_hash, last_logged_in_at, last_forum_read_at, has_mail, and dmail_filter_attributes[user_id]. * Remove initialize_default_image_size (dead code). uploads: convert to strong params. * Remove `initialize_status` because status already defaults to pending in the database. tag aliases/implications: convert to strong params. tags: convert to strong params. forum posts: convert to strong params. * Disallow changing the topic_id after creating the post. * Disallow setting is_deleted (destroy/undelete actions should be used instead). * Remove is_sticky / is_locked (nonexistent attributes). forum topics: convert to strong params. * merges https://github.com/evazion/danbooru/tree/wip-rails-5.1 * lock pg gem to 0.21 (1.0.0 is incompatible with rails 5.1.4) * switch to factorybot and change all references Co-authored-by: r888888888 <r888888888@gmail.com> Co-authored-by: evazion <noizave@gmail.com> add diffs
2018-04-02 10:51:26 -07:00
parent 01eda51020
commit abce4d2551
362 changed files with 4796 additions and 4799 deletions
--- a/app/controllers/moderator/bulk_reverts_controller.rb
+++ b/app/controllers/moderator/bulk_reverts_controller.rb
@@ -1,7 +1,7 @@
 module Moderator
  class BulkRevertsController < ApplicationController
-    before_filter :moderator_only
-    before_filter :init_constraints
+    before_action :moderator_only
+    before_action :init_constraints
    helper PostVersionsHelper
    rescue_from BulkRevert::ConstraintTooGeneralError, :with => :tag_constraint_too_general

--- a/app/controllers/moderator/dashboards_controller.rb
+++ b/app/controllers/moderator/dashboards_controller.rb
@@ -1,6 +1,6 @@
 module Moderator
  class DashboardsController < ApplicationController
-    before_filter :member_only
+    before_action :member_only
    helper :post_flags, :post_appeals

    def show
--- a/app/controllers/moderator/invitations_controller.rb
+++ b/app/controllers/moderator/invitations_controller.rb
@@ -1,6 +1,6 @@
 module Moderator
  class InvitationsController < ApplicationController
-    before_filter :moderator_only
+    before_action :moderator_only

    def new
    end
--- a/app/controllers/moderator/ip_addrs_controller.rb
+++ b/app/controllers/moderator/ip_addrs_controller.rb
@@ -1,6 +1,6 @@
 module Moderator
  class IpAddrsController < ApplicationController
-    before_filter :moderator_only
+    before_action :moderator_only

    def index
      @search = IpAddrSearch.new(params[:search])
--- a/app/controllers/moderator/post/approvals_controller.rb
+++ b/app/controllers/moderator/post/approvals_controller.rb
@@ -1,8 +1,8 @@
 module Moderator
  module Post
    class ApprovalsController < ApplicationController
-      before_filter :approver_only
-      skip_before_filter :api_check
+      before_action :approver_only
+      skip_before_action :api_check
      respond_to :json, :xml, :js

      def create
--- a/app/controllers/moderator/post/disapprovals_controller.rb
+++ b/app/controllers/moderator/post/disapprovals_controller.rb
@@ -1,13 +1,20 @@
 module Moderator
  module Post
    class DisapprovalsController < ApplicationController
-      before_filter :approver_only
-      skip_before_filter :api_check
+      before_action :approver_only
+      skip_before_action :api_check
+      respond_to :js, :json, :xml

      def create
        cookies.permanent[:moderated] = Time.now.to_i
-        @post = ::Post.find(params[:post_id])
-        @post_disapproval = PostDisapproval.create(:post => @post, :user => CurrentUser.user, :reason => params[:reason] || "disinterest", :message => params[:message])
+        @post_disapproval = PostDisapproval.create(post_disapproval_params)
+        respond_with(@post_disapproval)
+      end
+
+      private
+
+      def post_disapproval_params
+        params.require(:post_disapproval).permit(%i[post_id reason message])
      end
    end
  end
--- a/app/controllers/moderator/post/posts_controller.rb
+++ b/app/controllers/moderator/post/posts_controller.rb
@@ -1,9 +1,9 @@
 module Moderator
  module Post
    class PostsController < ApplicationController
-      before_filter :approver_only, :only => [:delete, :undelete, :move_favorites, :ban, :unban, :confirm_delete, :confirm_move_favorites, :confirm_ban]
-      before_filter :admin_only, :only => [:expunge]
-      skip_before_filter :api_check
+      before_action :approver_only, :only => [:delete, :undelete, :move_favorites, :ban, :unban, :confirm_delete, :confirm_move_favorites, :confirm_ban]
+      before_action :admin_only, :only => [:expunge]
+      skip_before_action :api_check

      respond_to :html, :json, :xml

--- a/app/controllers/moderator/post/queues_controller.rb
+++ b/app/controllers/moderator/post/queues_controller.rb
@@ -4,8 +4,8 @@ module Moderator
      RANDOM_COUNT = 12
      
      respond_to :html, :json
-      before_filter :approver_only
-      skip_before_filter :api_check
+      before_action :approver_only
+      skip_before_action :api_check

      def show
        cookies.permanent[:moderated] = Time.now.to_i
--- a/app/controllers/moderator/tags_controller.rb
+++ b/app/controllers/moderator/tags_controller.rb
@@ -1,6 +1,6 @@
 module Moderator
  class TagsController < ApplicationController
-    before_filter :moderator_only
+    before_action :moderator_only
    rescue_from TagBatchChange::Error, :with => :error

    def edit