Raise error on unpermitted params.

Fail loudly if we forget to whitelist a param instead of silently
ignoring it.

misc models: convert to strong params.

artist commentaries: convert to strong params.

* Disallow changing or setting post_id to a nonexistent post.

artists: convert to strong params.

* Disallow setting `is_banned` in create/update actions. Changing it
  this way instead of with the ban/unban actions would leave the artist in
  a partially banned state.

bans: convert to strong params.

* Disallow changing the user_id after the ban has been created.

comments: convert to strong params.

favorite groups: convert to strong params.

news updates: convert to strong params.

post appeals: convert to strong params.

post flags: convert to strong params.

* Disallow users from setting the `is_deleted` / `is_resolved` flags.

ip bans: convert to strong params.

user feedbacks: convert to strong params.

* Disallow users from setting `disable_dmail_notification` when creating feedbacks.
* Disallow changing the user_id after the feedback has been created.

notes: convert to strong params.

wiki pages: convert to strong params.

* Also fix non-Builders being able to delete wiki pages.

saved searches: convert to strong params.

pools: convert to strong params.

* Disallow setting `post_count` or `is_deleted` in create/update actions.

janitor trials: convert to strong params.

post disapprovals: convert to strong params.

* Factor out quick-mod bar to shared partial.
* Fix quick-mod bar to use `Post#is_approvable?` to determine visibility
  of Approve button.

dmail filters: convert to strong params.

password resets: convert to strong params.

user name change requests: convert to strong params.

posts: convert to strong params.

users: convert to strong params.

* Disallow setting password_hash, last_logged_in_at, last_forum_read_at,
  has_mail, and dmail_filter_attributes[user_id].

* Remove initialize_default_image_size (dead code).

uploads: convert to strong params.

* Remove `initialize_status` because status already defaults to pending
  in the database.

tag aliases/implications: convert to strong params.

tags: convert to strong params.

forum posts: convert to strong params.

* Disallow changing the topic_id after creating the post.
* Disallow setting is_deleted (destroy/undelete actions should be used instead).
* Remove is_sticky / is_locked (nonexistent attributes).

forum topics: convert to strong params.

* merges https://github.com/evazion/danbooru/tree/wip-rails-5.1
* lock pg gem to 0.21 (1.0.0 is incompatible with rails 5.1.4)
* switch to factorybot and change all references

Co-authored-by: r888888888 <r888888888@gmail.com>
Co-authored-by: evazion <noizave@gmail.com>

add diffs

app/logical/anonymous_user.rb

@@ -230,7 +230,7 @@ class AnonymousUser
   end
 
   def saved_searches
-    []
+    SavedSearch.where(false)
   end
 
   def has_saved_searches?

app/logical/current_user.rb

@@ -14,6 +14,10 @@ class CurrentUser
     end
   end
 
+  def self.as(user, &block)
+    scoped(user, &block)
+  end
+
   def self.as_admin(&block)
     if block_given?
       scoped(User.admins.first, "127.0.0.1", &block)
@@ -83,10 +87,6 @@ class CurrentUser
   end
 
   def self.method_missing(method, *params, &block)
-    if user.respond_to?(method)
-      user.__send__(method, *params, &block)
-    else
-      super
-    end
+    user.__send__(method, *params, &block)
   end
 end

app/logical/forum_updater.rb

@@ -21,10 +21,7 @@ class ForumUpdater
   end
 
   def create_response(body)
-    forum_topic.posts.create({
-      :body => body,
-      :skip_mention_notifications => true
-    }, :without_protection => true)
+    forum_topic.posts.create(body: body, skip_mention_notifications: true)
   end
 
   def update_title(title_tag)
@@ -34,6 +31,6 @@ class ForumUpdater
   end
 
   def update_post(body)
-    forum_post.update({:body => "#{forum_post.body}\n\nEDIT: #{body}", :skip_mention_notifications => true }, :without_protection => true)
+    forum_post.update(body: "#{forum_post.body}\n\nEDIT: #{body}", skip_mention_notifications: true)
   end
 end

app/logical/mentionable.rb

@@ -23,11 +23,11 @@ module Mentionable
 
   def queue_mention_messages
     message_field = self.class.mentionable_option(:message_field)
-    return if !send("#{message_field}_changed?")
+    return if !send(:saved_change_to_attribute?, message_field)
     return if self.skip_mention_notifications
 
     text = send(message_field)
-    text_was = send("#{message_field}_was")
+    text_was = send(:attribute_before_last_save, message_field)
 
     names = DText.parse_mentions(text) - DText.parse_mentions(text_was)
 

app/logical/post_pruner.rb

@@ -36,6 +36,6 @@ protected
   end
 
   def prune_mod_actions!
-    ModAction.destroy_all(["creator_id = ? and description like ?", User.system.id, "deleted post %"])
+    ModAction.where(["creator_id = ? and description like ?", User.system.id, "deleted post %"]).destroy_all
   end
 end

app/logical/post_query_builder.rb

@@ -291,13 +291,13 @@ class PostQueryBuilder
 
     if q[:note_updater_ids]
       q[:note_updater_ids].each do |note_updater_id|
-        relation = relation.where("posts.id IN (?)", NoteVersion.unscoped.where("updater_id = ?", note_updater_id).select("post_id").uniq)
+        relation = relation.where("posts.id IN (?)", NoteVersion.unscoped.where("updater_id = ?", note_updater_id).select("post_id").distinct)
       end
     end
 
     if q[:artcomm_ids]
       q[:artcomm_ids].each do |artcomm_id|
-        relation = relation.where("posts.id IN (?)", ArtistCommentaryVersion.unscoped.where("updater_id = ?", artcomm_id).select("post_id").uniq)
+        relation = relation.where("posts.id IN (?)", ArtistCommentaryVersion.unscoped.where("updater_id = ?", artcomm_id).select("post_id").distinct)
       end
     end
 

app/logical/session_loader.rb

@@ -14,7 +14,9 @@ class SessionLoader
     CurrentUser.user = AnonymousUser.new
     CurrentUser.ip_addr = request.remote_ip
 
-    if session[:user_id]
+    if Rails.env.test? && Thread.current[:test_user_id]
+      load_for_test(Thread.current[:test_user_id])
+    elsif session[:user_id]
       load_session_user
     elsif cookie_password_hash_valid?
       load_cookie_user
@@ -31,6 +33,11 @@ class SessionLoader
   end
 
 private
+
+  def load_for_test(user_id)
+    CurrentUser.user = User.find(user_id)
+    CurrentUser.ip_addr = "127.0.0.1"
+  end
   
   def set_statement_timeout
     timeout = CurrentUser.user.statement_timeout

app/logical/sources/strategies/twitter.rb

@@ -69,7 +69,7 @@ module Sources::Strategies
     # https://twitter.com/motty08111213/status/943446161586733056
     def self.status_id_from_url(url)
       if url =~ %r{\Ahttps?://(?:mobile\.)?twitter\.com/(?:i/web|\w+)/status/(\d+)}i
-        $1.to_i
+        $1
       else
         nil
       end

app/logical/tag_alias_request.rb

@@ -75,7 +75,7 @@ class TagAliasRequest
   end
 
   def skip_secondary_validations=(v)
-    if v == "1" or v == true
+    if v == "1" or v == true or v =~ /t/
       @skip_secondary_validations = true
     else
       @skip_secondary_validations = false

app/logical/tag_implication_request.rb

@@ -75,7 +75,7 @@ class TagImplicationRequest
   end
 
   def skip_secondary_validations=(v)
-    if v == "1" or v == true
+    if v == "1" or v == true or v =~ /t/
       @skip_secondary_validations = true
     else
       @skip_secondary_validations = false

app/logical/twitter_service.rb

@@ -3,7 +3,7 @@ class TwitterService
     raise "Twitter API keys not set" if Danbooru.config.twitter_api_key.nil?
 
     @client ||= begin
-      rest_client = Twitter::REST::Client.new do |config|
+      rest_client = ::Twitter::REST::Client.new do |config|
         config.consumer_key = Danbooru.config.twitter_api_key
         config.consumer_secret = Danbooru.config.twitter_api_secret
         if bearer_token = Cache.get("twitter-api-token")