Raise error on unpermitted params.

Fail loudly if we forget to whitelist a param instead of silently
ignoring it.

misc models: convert to strong params.

artist commentaries: convert to strong params.

* Disallow changing or setting post_id to a nonexistent post.

artists: convert to strong params.

* Disallow setting `is_banned` in create/update actions. Changing it
  this way instead of with the ban/unban actions would leave the artist in
  a partially banned state.

bans: convert to strong params.

* Disallow changing the user_id after the ban has been created.

comments: convert to strong params.

favorite groups: convert to strong params.

news updates: convert to strong params.

post appeals: convert to strong params.

post flags: convert to strong params.

* Disallow users from setting the `is_deleted` / `is_resolved` flags.

ip bans: convert to strong params.

user feedbacks: convert to strong params.

* Disallow users from setting `disable_dmail_notification` when creating feedbacks.
* Disallow changing the user_id after the feedback has been created.

notes: convert to strong params.

wiki pages: convert to strong params.

* Also fix non-Builders being able to delete wiki pages.

saved searches: convert to strong params.

pools: convert to strong params.

* Disallow setting `post_count` or `is_deleted` in create/update actions.

janitor trials: convert to strong params.

post disapprovals: convert to strong params.

* Factor out quick-mod bar to shared partial.
* Fix quick-mod bar to use `Post#is_approvable?` to determine visibility
  of Approve button.

dmail filters: convert to strong params.

password resets: convert to strong params.

user name change requests: convert to strong params.

posts: convert to strong params.

users: convert to strong params.

* Disallow setting password_hash, last_logged_in_at, last_forum_read_at,
  has_mail, and dmail_filter_attributes[user_id].

* Remove initialize_default_image_size (dead code).

uploads: convert to strong params.

* Remove `initialize_status` because status already defaults to pending
  in the database.

tag aliases/implications: convert to strong params.

tags: convert to strong params.

forum posts: convert to strong params.

* Disallow changing the topic_id after creating the post.
* Disallow setting is_deleted (destroy/undelete actions should be used instead).
* Remove is_sticky / is_locked (nonexistent attributes).

forum topics: convert to strong params.

* merges https://github.com/evazion/danbooru/tree/wip-rails-5.1
* lock pg gem to 0.21 (1.0.0 is incompatible with rails 5.1.4)
* switch to factorybot and change all references

Co-authored-by: r888888888 <r888888888@gmail.com>
Co-authored-by: evazion <noizave@gmail.com>

add diffs

Gemfile

@@ -2,13 +2,12 @@ source 'https://rubygems.org/'
 
 gem 'dotenv-rails', :require => "dotenv/rails-now"
 
-gem 'protected_attributes'
 gem "sass-rails"
 gem "sprockets-rails", :require => "sprockets/railtie"
 gem "uglifier"
 gem "therubyracer", :platforms => :ruby
-gem "rails", "~> 4.2.0"
+gem "rails", "~> 5.1"
-gem "pg", "0.21.0"
+gem "pg"
 gem "dalli", :platforms => :ruby
 gem "memcache-client", :platforms => [:mswin, :mingw, :x64_mingw]
 gem "tzinfo-data", :platforms => [:mswin, :mingw, :x64_mingw]
@@ -22,9 +21,9 @@ gem 'ruby-vips'
 gem 'net-sftp'
 gem 'term-ansicolor', :require => "term/ansicolor"
 gem 'diff-lcs', :require => "diff/lcs/array"
-gem 'bcrypt-ruby', :require => "bcrypt"
+gem 'bcrypt', :require => "bcrypt"
 gem 'statistics2'
-gem 'capistrano', '~> 3.4.0'
+gem 'capistrano', '~> 3.10'
 gem 'capistrano-rails'
 gem 'capistrano-rbenv'
 gem 'radix62', '~> 1.0.1'
@@ -48,6 +47,8 @@ gem 'addressable'
 gem 'httparty'
 gem 'rakismet'
 gem 'recaptcha', require: "recaptcha/rails"
+gem 'activemodel-serializers-xml'
+gem 'ptools'
 
 # needed for looser jpeg header compat
 gem 'ruby-imagespec', :require => "image_spec", :git => "https://github.com/r888888888/ruby-imagespec.git", :branch => "exif-fixes"
@@ -68,16 +69,16 @@ group :development, :test do
   gem 'pry-byebug'
   gem 'ruby-prof'
   gem 'foreman'
+  gem 'listen'
 end
 
 group :test do
   gem "shoulda-context"
   gem "shoulda-matchers"
-  gem "factory_girl"
+  gem "factory_bot"
   gem "mocha", :require => "mocha/setup"
   gem "ffaker"
   gem "simplecov", :require => false
   gem "timecop"
   gem "webmock"
-  gem "test_after_commit" # XXX remove me after upgrading to rails 5.
 end

Gemfile.lock

@@ -9,7 +9,7 @@ GIT
 
 GIT
   remote: https://github.com/r888888888/dtext_rb.git
-  revision: e343c4572e7a72666123984679e6cf90badd473d
+  revision: 47f238ec378be0933fcd7eccf1904fbd1f8d8613
   specs:
     dtext_rb (1.7.0)
       nokogiri (~> 1.8)
@@ -24,76 +24,82 @@ GIT
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (4.2.8)
+    actioncable (5.1.6)
-      actionpack (= 4.2.8)
+      actionpack (= 5.1.6)
-      actionview (= 4.2.8)
+      nio4r (~> 2.0)
-      activejob (= 4.2.8)
+      websocket-driver (~> 0.6.1)
+    actionmailer (5.1.6)
+      actionpack (= 5.1.6)
+      actionview (= 5.1.6)
+      activejob (= 5.1.6)
       mail (~> 2.5, >= 2.5.4)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-dom-testing (~> 2.0)
-    actionpack (4.2.8)
+    actionpack (5.1.6)
-      actionview (= 4.2.8)
+      actionview (= 5.1.6)
-      activesupport (= 4.2.8)
+      activesupport (= 5.1.6)
-      rack (~> 1.6)
+      rack (~> 2.0)
-      rack-test (~> 0.6.2)
+      rack-test (>= 0.6.3)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.8)
+    actionview (5.1.6)
-      activesupport (= 4.2.8)
+      activesupport (= 5.1.6)
       builder (~> 3.1)
-      erubis (~> 2.7.0)
+      erubi (~> 1.4)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (4.2.8)
+    activejob (5.1.6)
-      activesupport (= 4.2.8)
+      activesupport (= 5.1.6)
-      globalid (>= 0.3.0)
+      globalid (>= 0.3.6)
-    activemodel (4.2.8)
+    activemodel (5.1.6)
-      activesupport (= 4.2.8)
+      activesupport (= 5.1.6)
+    activemodel-serializers-xml (1.0.2)
+      activemodel (> 5.x)
+      activesupport (> 5.x)
       builder (~> 3.1)
-    activerecord (4.2.8)
+    activerecord (5.1.6)
-      activemodel (= 4.2.8)
+      activemodel (= 5.1.6)
-      activesupport (= 4.2.8)
+      activesupport (= 5.1.6)
-      arel (~> 6.0)
+      arel (~> 8.0)
-    activesupport (4.2.8)
+    activesupport (5.1.6)
-      i18n (~> 0.7)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
       minitest (~> 5.1)
-      thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
     addressable (2.5.2)
       public_suffix (>= 2.0.2, < 4.0)
-    arel (6.0.4)
+    airbrussh (1.3.0)
+      sshkit (>= 1.6.1, != 1.7.0)
+    arel (8.0.0)
     awesome_print (1.8.0)
-    aws-sdk (2.10.122)
+    aws-sdk (2.10.125)
-      aws-sdk-resources (= 2.10.122)
+      aws-sdk-resources (= 2.10.125)
-    aws-sdk-core (2.10.122)
+    aws-sdk-core (2.10.125)
       aws-sigv4 (~> 1.0)
       jmespath (~> 1.0)
-    aws-sdk-resources (2.10.122)
+    aws-sdk-resources (2.10.125)
-      aws-sdk-core (= 2.10.122)
+      aws-sdk-core (= 2.10.125)
     aws-sigv4 (1.0.2)
     bcrypt (3.1.11)
     bcrypt (3.1.11-x64-mingw32)
-    bcrypt-ruby (3.1.5)
-      bcrypt (>= 3.1.3)
-    bcrypt-ruby (3.1.5-x64-mingw32)
-      bcrypt (>= 3.1.3)
     bootsnap (1.1.8)
       msgpack (~> 1.0)
     buftok (0.2.0)
     builder (3.2.3)
-    byebug (9.1.0)
+    byebug (10.0.2)
-    capistrano (3.4.0)
+    capistrano (3.10.1)
+      airbrussh (>= 1.0.0)
       i18n
       rake (>= 10.0.0)
-      sshkit (~> 1.3)
+      sshkit (>= 1.9.0)
-    capistrano-bundler (1.1.4)
+    capistrano-bundler (1.3.0)
       capistrano (~> 3.1)
       sshkit (~> 1.2)
-    capistrano-deploytags (1.0.4)
+    capistrano-deploytags (1.0.7)
-      capistrano (>= 3.2.0)
+      capistrano (>= 3.7.0)
-    capistrano-rails (1.1.3)
+    capistrano-rails (1.3.1)
       capistrano (~> 3.1)
       capistrano-bundler (~> 1.1)
-    capistrano-rbenv (2.0.3)
+    capistrano-rbenv (2.1.3)
       capistrano (~> 3.1)
       sshkit (~> 1.3)
     capistrano3-unicorn (0.2.1)
@@ -121,15 +127,17 @@ GEM
       dotenv (= 2.2.1)
       railties (>= 3.2, < 5.2)
     equalizer (0.0.11)
-    erubis (2.7.0)
+    erubi (1.7.1)
     execjs (2.7.0)
-    factory_girl (4.8.0)
+    factory_bot (4.8.2)
       activesupport (>= 3.0.0)
-    faraday (0.10.1)
+    faraday (0.12.2)
       multipart-post (>= 1.2, < 3)
     ffaker (2.8.1)
     ffi (1.9.18)
     ffi (1.9.18-x64-mingw32)
+    ffi-win32-extensions (1.0.3)
+      ffi
     foreman (0.63.0)
       dotenv (>= 0.7)
       thor (>= 0.13.6)
@@ -149,8 +157,8 @@ GEM
       mime-types (>= 1.6)
       representable (~> 2.3.0)
       retriable (~> 2.0)
-    googleauth (0.5.1)
+    googleauth (0.5.3)
-      faraday (~> 0.9)
+      faraday (~> 0.12)
       jwt (~> 1.4)
       logging (~> 2.0)
       memoist (~> 0.12)
@@ -159,32 +167,35 @@ GEM
       signet (~> 0.7)
     hashdiff (0.3.7)
     highline (1.7.10)
-    hike (1.2.3)
+    http (3.0.0)
-    http (2.2.2)
       addressable (~> 2.3)
       http-cookie (~> 1.0)
-      http-form_data (~> 1.0.1)
+      http-form_data (>= 2.0.0.pre.pre2, < 3)
       http_parser.rb (~> 0.6.0)
     http-cookie (1.0.3)
       domain_name (~> 0.5)
-    http-form_data (1.0.3)
+    http-form_data (2.0.0)
     http_parser.rb (0.6.0)
     httparty (0.15.6)
       multi_xml (>= 0.5.2)
     httpclient (2.8.3)
     hurley (0.2)
-    i18n (0.9.1)
+    i18n (1.0.0)
       concurrent-ruby (~> 1.0)
     jmespath (1.3.1)
-    json (1.8.6)
+    json (2.1.0)
     jwt (1.5.6)
-    kgio (2.11.1)
+    kgio (2.11.2)
     libv8 (3.16.14.19)
+    listen (3.1.5)
+      rb-fsevent (~> 0.9, >= 0.9.4)
+      rb-inotify (~> 0.9, >= 0.9.7)
+      ruby_dep (~> 1.2)
     little-plugger (1.1.4)
     logging (2.2.2)
       little-plugger (~> 1.1)
       multi_json (~> 1.10)
-    loofah (2.1.1)
+    loofah (2.2.2)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.0)
@@ -205,10 +216,12 @@ GEM
       thread_safe (~> 0.3, >= 0.3.1)
     metaclass (0.0.4)
     method_source (0.9.0)
-    mime-types (2.99.3)
+    mime-types (3.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2016.0521)
     mini_mime (1.0.0)
     mini_portile2 (2.3.0)
-    minitest (5.11.1)
+    minitest (5.11.3)
     mocha (1.3.0)
       metaclass (~> 0.0.1)
     msgpack (1.2.2)
@@ -224,13 +237,13 @@ GEM
     net-sftp (2.1.2)
       net-ssh (>= 2.6.5)
     net-ssh (4.2.0)
-    netrc (0.11.0)
+    newrelic_rpm (4.8.0.341)
-    newrelic_rpm (4.7.1.340)
+    nio4r (2.3.0)
-    nokogiri (1.8.1)
+    nokogiri (1.8.2)
       mini_portile2 (~> 2.3.0)
-    nokogiri (1.8.1-x64-mingw32)
+    nokogiri (1.8.2-x64-mingw32)
       mini_portile2 (~> 2.3.0)
-    nokogumbo (1.4.13)
+    nokogumbo (1.5.0)
       nokogiri
     ntlm-http (0.1.1)
     oauth2 (1.4.0)
@@ -242,50 +255,50 @@ GEM
     os (0.9.6)
     pg (0.21.0)
     pg (0.21.0-x64-mingw32)
-    protected_attributes (1.1.4)
-      activemodel (>= 4.0.1, < 5.0)
     pry (0.11.3)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
-    pry-byebug (3.5.1)
+    pry-byebug (3.6.0)
-      byebug (~> 9.1)
+      byebug (~> 10.0)
       pry (~> 0.10)
+    ptools (1.3.5)
+    ptools (1.3.5-universal-mingw32)
+      win32-file (>= 0.7.0)
     public_suffix (3.0.1)
-    rack (1.6.8)
+    rack (2.0.4)
-    rack-test (0.6.3)
+    rack-test (1.0.0)
-      rack (>= 1.0)
+      rack (>= 1.0, < 3)
     radix62 (1.0.1)
-    rails (4.2.8)
+    rails (5.1.6)
-      actionmailer (= 4.2.8)
+      actioncable (= 5.1.6)
-      actionpack (= 4.2.8)
+      actionmailer (= 5.1.6)
-      actionview (= 4.2.8)
+      actionpack (= 5.1.6)
-      activejob (= 4.2.8)
+      actionview (= 5.1.6)
-      activemodel (= 4.2.8)
+      activejob (= 5.1.6)
-      activerecord (= 4.2.8)
+      activemodel (= 5.1.6)
-      activesupport (= 4.2.8)
+      activerecord (= 5.1.6)
-      bundler (>= 1.3.0, < 2.0)
+      activesupport (= 5.1.6)
-      railties (= 4.2.8)
+      bundler (>= 1.3.0)
-      sprockets-rails
+      railties (= 5.1.6)
-    rails-deprecated_sanitizer (1.0.3)
+      sprockets-rails (>= 2.0.0)
-      activesupport (>= 4.2.0.alpha)
+    rails-dom-testing (2.0.3)
-    rails-dom-testing (1.0.9)
+      activesupport (>= 4.2.0)
-      activesupport (>= 4.2.0, < 5.0)
+      nokogiri (>= 1.6)
-      nokogiri (~> 1.6)
+    rails-html-sanitizer (1.0.4)
-      rails-deprecated_sanitizer (>= 1.0.1)
+      loofah (~> 2.2, >= 2.2.2)
-    rails-html-sanitizer (1.0.3)
+    railties (5.1.6)
-      loofah (~> 2.0)
+      actionpack (= 5.1.6)
-    railties (4.2.8)
+      activesupport (= 5.1.6)
-      actionpack (= 4.2.8)
+      method_source
-      activesupport (= 4.2.8)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
     raindrops (0.19.0)
-    rake (12.3.0)
+    rake (12.3.1)
     rakismet (1.5.4)
     rb-fsevent (0.10.2)
     rb-inotify (0.9.10)
       ffi (>= 0.5.0, < 2)
-    recaptcha (4.6.3)
+    recaptcha (4.6.4)
       json
     ref (2.0.0)
     representable (2.3.0)
@@ -293,25 +306,17 @@ GEM
     responders (2.4.0)
       actionpack (>= 4.2.0, < 5.3)
       railties (>= 4.2.0, < 5.3)
-    rest-client (1.8.0)
-      http-cookie (>= 1.0.2, < 2.0)
-      mime-types (>= 1.16, < 3.0)
-      netrc (~> 0.7)
-    rest-client (1.8.0-x64-mingw32)
-      ffi (~> 1.9)
-      http-cookie (>= 1.0.2, < 2.0)
-      mime-types (>= 1.16, < 3.0)
-      netrc (~> 0.7)
     retriable (2.1.0)
     ruby-prof (0.17.0)
     ruby-vips (2.0.9)
       ffi (~> 1.9)
+    ruby_dep (1.5.0)
     rubyzip (1.2.1)
     safe_yaml (1.0.4)
-    sanitize (4.5.0)
+    sanitize (4.6.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.4.4)
-      nokogumbo (~> 1.4.1)
+      nokogumbo (~> 1.4)
     sass (3.5.5)
       sass-listen (~> 4.0.0)
     sass-listen (4.0.0)
@@ -340,52 +345,48 @@ GEM
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
-    sprockets (2.12.4)
+    sprockets (3.7.1)
-      hike (~> 1.2)
+      concurrent-ruby (~> 1.0)
-      multi_json (~> 1.0)
+      rack (> 1, < 3)
-      rack (~> 1.0)
+    sprockets-rails (3.2.1)
-      tilt (~> 1.1, != 1.3.0)
+      actionpack (>= 4.0)
-    sprockets-rails (2.3.3)
+      activesupport (>= 4.0)
-      actionpack (>= 3.0)
+      sprockets (>= 3.0.0)
-      activesupport (>= 3.0)
-      sprockets (>= 2.8, < 4.0)
     sshkit (1.15.1)
       net-scp (>= 1.1.2)
       net-ssh (>= 2.8.0)
     statistics2 (0.54)
     streamio-ffmpeg (3.0.2)
       multi_json (~> 1.8)
-    stripe (1.25.0)
+    stripe (3.9.1)
-      json (~> 1.8.1)
+      faraday (~> 0.10)
-      rest-client (~> 1.4)
     term-ansicolor (1.6.0)
       tins (~> 1.0)
-    test_after_commit (1.1.0)
-      activerecord (>= 3.2)
     therubyracer (0.12.3)
       libv8 (~> 3.16.14.15)
       ref
     thor (0.20.0)
     thread_safe (0.3.6)
-    tilt (1.4.1)
+    tilt (2.0.8)
     timecop (0.9.1)
     tins (1.16.3)
-    twitter (6.0.0)
+    twitter (6.2.0)
-      addressable (~> 2.5)
+      addressable (~> 2.3)
       buftok (~> 0.2.0)
-      equalizer (= 0.0.11)
+      equalizer (~> 0.0.11)
-      faraday (~> 0.10.0)
+      http (~> 3.0)
-      http (~> 2.1)
+      http-form_data (~> 2.0)
       http_parser.rb (~> 0.6.0)
-      memoizable (~> 0.4.2)
+      memoizable (~> 0.4.0)
-      naught (~> 1.1)
+      multipart-post (~> 2.0)
-      simple_oauth (~> 0.3.1)
+      naught (~> 1.0)
-    tzinfo (1.2.4)
+      simple_oauth (~> 0.3.0)
+    tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    tzinfo-data (1.2017.3)
+    tzinfo-data (1.2018.3)
       tzinfo (>= 1.0.0)
     uber (0.0.15)
-    uglifier (4.1.3)
+    uglifier (4.1.5)
       execjs (>= 0.3.0, < 3)
     unf (0.1.4)
       unf_ext
@@ -402,8 +403,18 @@ GEM
       crack (>= 0.3.2)
       hashdiff
     webrobots (0.1.2)
+    websocket-driver (0.6.5)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.3)
     whenever (0.10.0)
       chronic (>= 0.6.3)
+    win32-file (0.8.1)
+      ffi
+      ffi-win32-extensions
+      win32-file-stat (>= 1.4.0)
+    win32-file-stat (1.5.5)
+      ffi
+      ffi-win32-extensions
     win32console (1.3.2)
 
 PLATFORMS
@@ -411,13 +422,14 @@ PLATFORMS
   x64-mingw32
 
 DEPENDENCIES
+  activemodel-serializers-xml
   addressable
   awesome_print
   aws-sdk (~> 2)
-  bcrypt-ruby
+  bcrypt
   bigquery!
   bootsnap
-  capistrano (~> 3.4.0)
+  capistrano (~> 3.10)
   capistrano-deploytags (~> 1.0.0)
   capistrano-rails
   capistrano-rbenv
@@ -430,12 +442,13 @@ DEPENDENCIES
   diff-lcs
   dotenv-rails
   dtext_rb!
-  factory_girl
+  factory_bot
   ffaker
   foreman
   google-api-client
   highline
   httparty
+  listen
   mechanize
   memcache-client
   memcache_mock
@@ -444,11 +457,11 @@ DEPENDENCIES
   net-sftp
   newrelic_rpm
   oauth2
-  pg (= 0.21.0)
+  pg
-  protected_attributes
   pry-byebug
+  ptools
   radix62 (~> 1.0.1)
-  rails (~> 4.2.0)
+  rails (~> 5.1)
   rakismet
   recaptcha
   responders
@@ -467,7 +480,6 @@ DEPENDENCIES
   streamio-ffmpeg
   stripe
   term-ansicolor
-  test_after_commit
   therubyracer
   timecop
   twitter

app/assets/javascripts/mod_queue.js

@@ -56,23 +56,17 @@
   }
 
   Danbooru.ModQueue.detailed_rejection_dialog = function() {
-    $("#post_id").val($(this).data("post-id"));
+    $("#post_disapproval_post_id").val($(this).data("post-id"));
 
     $("#detailed-rejection-dialog").dialog({
       width: 500,
       buttons: {
         "Submit": function() {
-          var data = $("#detailed-rejection-form").serialize();
+          $(this).find("form").submit();
-          $.ajax({
+          $(this).dialog("close");
-            type: "POST",
-            url: $("#detailed-rejection-form").attr("action"),
-            data: data,
-            dataType: "script"
-          });
-          $("#detailed-rejection-dialog").dialog("close");
         },
         "Cancel": function() {
-          $("#detailed-rejection-dialog").dialog("close");
+          $(this).dialog("close");
         }
       }
     });

app/assets/javascripts/posts.js

@@ -628,6 +628,8 @@
     });
 
     $("#save-search").click(function(e) {
+      $("#save-search-dialog #saved_search_query").val($("#tags").val());
+
       if (Danbooru.meta("disable-labeled-saved-searches") === "false") {
         $("#save-search-dialog").dialog("open");
       } else {

app/controllers/admin/alias_and_implication_imports_controller.rb

@@ -1,6 +1,6 @@
 module Admin
   class AliasAndImplicationImportsController < ApplicationController
-    before_filter :admin_only
+    before_action :admin_only
 
     def new
     end

app/controllers/admin/users_controller.rb

@@ -1,6 +1,6 @@
 module Admin
   class UsersController < ApplicationController
-    before_filter :moderator_only
+    before_action :moderator_only
 
     def edit
       @user = User.find(params[:id])

app/controllers/application_controller.rb

@@ -1,25 +1,26 @@
 class ApplicationController < ActionController::Base
   protect_from_forgery
   helper :pagination
-  before_filter :reset_current_user
+  before_action :reset_current_user
-  before_filter :set_current_user
+  before_action :set_current_user
-  after_filter :reset_current_user
+  after_action :reset_current_user
-  before_filter :set_title
+  before_action :set_title
-  before_filter :normalize_search
+  before_action :normalize_search
-  before_filter :set_started_at_session
+  before_action :set_started_at_session
-  before_filter :api_check
+  before_action :api_check
-  before_filter :set_safe_mode
+  before_action :set_safe_mode
-  # before_filter :secure_cookies_check
+  # before_action :secure_cookies_check
   layout "default"
   force_ssl :if => :ssl_login?
   helper_method :show_moderation_notice?
-  before_filter :enable_cors
+  before_action :enable_cors
 
   rescue_from Exception, :with => :rescue_exception
   rescue_from User::PrivilegeError, :with => :access_denied
   rescue_from SessionLoader::AuthenticationFailure, :with => :authentication_failed
   rescue_from Danbooru::Paginator::PaginationError, :with => :render_pagination_limit
   rescue_from PG::ConnectionBad, with: :bad_db_connection
+  rescue_from ActionController::UnpermittedParameters, :with => :access_denied
 
   # This is raised on requests to `/blah.js`. Rails has already rendered StaticController#not_found
   # here, so calling `rescue_exception` would cause a double render error.
@@ -93,6 +94,13 @@ class ApplicationController < ActionController::Base
   def rescue_exception(exception)
     @exception = exception
 
+    if Rails.env.test? && ENV["DEBUG"]
+      puts "---"
+      STDERR.puts("#{exception.class} exception thrown: #{exception.message}")
+      exception.backtrace.each {|x| STDERR.puts(x)}
+      puts "---"
+    end
+
     if exception.is_a?(::ActiveRecord::StatementInvalid) && exception.to_s =~ /statement timeout/
       if Rails.env.production?
         NewRelic::Agent.notice_error(exception, :uri => request.original_url, :referer => request.referer, :request_params => params, :custom_params => {:user_id => CurrentUser.user.id, :user_ip_addr => CurrentUser.ip_addr})
@@ -159,7 +167,7 @@ class ApplicationController < ActionController::Base
         render :json => {:success => false, :reason => "access denied"}.to_json, :status => 403
       end
       fmt.js do
-        render :nothing => true, :status => 403
+        render js: "", :status => 403
       end
     end
   end
@@ -212,6 +220,10 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def search_params
+    params.fetch(:search, {}).permit!
+  end
+
   def set_safe_mode
     CurrentUser.set_safe_mode(request)
   end

app/controllers/artist_commentaries_controller.rb

@@ -1,9 +1,9 @@
 class ArtistCommentariesController < ApplicationController
   respond_to :html, :xml, :json, :js
-  before_filter :member_only, :except => [:index, :show]
+  before_action :member_only, :except => [:index, :show]
 
   def index
-    @commentaries = ArtistCommentary.search(params[:search]).paginate(params[:page], :limit => params[:limit])
+    @commentaries = ArtistCommentary.search(search_params).paginate(params[:page], :limit => params[:limit])
     respond_with(@commentaries) do |format|
       format.xml do
         render :xml => @commentaries.to_xml(:root => "artist-commentaries")
@@ -24,14 +24,8 @@ class ArtistCommentariesController < ApplicationController
   end
 
   def create_or_update
-    @artist_commentary = ArtistCommentary.find_by_post_id(params[:artist_commentary][:post_id])
+    @artist_commentary = ArtistCommentary.find_or_initialize_by(post_id: params.dig(:artist_commentary, :post_id))
-
+    @artist_commentary.update(commentary_params)
-    if @artist_commentary
-      @artist_commentary.update_attributes(params[:artist_commentary])
-    else
-      @artist_commentary = ArtistCommentary.create(params[:artist_commentary])
-    end
-
     respond_with(@artist_commentary)
   end
 
@@ -39,6 +33,15 @@ class ArtistCommentariesController < ApplicationController
     @artist_commentary = ArtistCommentary.find_by_post_id!(params[:id])
     @version = @artist_commentary.versions.find(params[:version_id])
     @artist_commentary.revert_to!(@version)
-    respond_with(@artist_commentary)
+  end
+
+private
+
+  def commentary_params
+    params.fetch(:artist_commentary, {}).except(:post_id).permit(%i[
+      original_description original_title translated_description translated_title
+      remove_commentary_tag remove_commentary_request_tag remove_commentary_check_tag
+      add_commentary_tag add_commentary_request_tag add_commentary_check_tag
+    ])
   end
 end

app/controllers/artist_commentary_versions_controller.rb

@@ -2,7 +2,7 @@ class ArtistCommentaryVersionsController < ApplicationController
   respond_to :html, :xml, :json
 
   def index
-    @commentary_versions = ArtistCommentaryVersion.search(params[:search]).paginate(params[:page], :limit => params[:limit])
+    @commentary_versions = ArtistCommentaryVersion.search(search_params).paginate(params[:page], :limit => params[:limit])
     respond_with(@commentary_versions) do |format|
       format.xml do
         render :xml => @commentary_versions.to_xml(:root => "artist-commentary-versions")

app/controllers/artist_versions_controller.rb

@@ -1,13 +1,14 @@
 class ArtistVersionsController < ApplicationController
-  before_filter :member_only
+  before_action :member_only
   respond_to :html, :xml, :json
 
   def index
-    @artist_versions = ArtistVersion.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
+    @artist_versions = ArtistVersion.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
     respond_with(@artist_versions) do |format|
       format.xml do
         render :xml => @artist_versions.to_xml(:root => "artist-versions")
       end
     end
   end
+
 end

app/controllers/artists_controller.rb

@@ -1,12 +1,12 @@
 class ArtistsController < ApplicationController
   respond_to :html, :xml, :json
-  before_filter :member_only, :except => [:index, :show, :show_or_new, :banned]
+  before_action :member_only, :except => [:index, :show, :show_or_new, :banned]
-  before_filter :builder_only, :only => [:destroy]
+  before_action :builder_only, :only => [:destroy]
-  before_filter :admin_only, :only => [:ban, :unban]
+  before_action :admin_only, :only => [:ban, :unban]
-  before_filter :load_artist, :only => [:ban, :unban, :show, :edit, :update, :destroy, :undelete]
+  before_action :load_artist, :only => [:ban, :unban, :show, :edit, :update, :destroy, :undelete]
 
   def new
-    @artist = Artist.new_with_defaults(params)
+    @artist = Artist.new_with_defaults(artist_params)
     respond_with(@artist)
   end
 
@@ -37,7 +37,6 @@ class ArtistsController < ApplicationController
   end
 
   def index
-    search_params = params[:search].present? ? params[:search] : params
     @artists = Artist.includes(:urls).search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
     respond_with(@artists) do |format|
       format.xml do
@@ -56,12 +55,12 @@ class ArtistsController < ApplicationController
   end
 
   def create
-    @artist = Artist.create(params[:artist], :as => CurrentUser.role)
+    @artist = Artist.create(artist_params)
     respond_with(@artist)
   end
 
   def update
-    @artist.update(params[:artist], :as => CurrentUser.role)
+    @artist.update(artist_params)
     flash[:notice] = @artist.valid? ? "Artist updated" : @artist.errors.full_messages.join("; ")
     respond_with(@artist)
   end
@@ -118,4 +117,17 @@ private
   def load_artist
     @artist = Artist.find(params[:id])
   end
+
+  def search_params
+    sp = params.fetch(:search, {})
+    sp[:name] = params[:name] if params[:name]
+    sp.permit!
+  end
+
+  def artist_params
+    permitted_params = %i[name other_names other_names_comma group_name url_string notes]
+    permitted_params << :is_active if CurrentUser.is_builder?
+
+    params.fetch(:artist, {}).permit(permitted_params)
+  end
 end

app/controllers/bans_controller.rb

@@ -1,6 +1,7 @@
 class BansController < ApplicationController
-  before_filter :moderator_only, :except => [:show, :index]
+  before_action :moderator_only, :except => [:show, :index]
   respond_to :html, :xml, :json
+  helper_method :search_params
 
   def new
     @ban = Ban.new(params[:ban])
@@ -11,7 +12,7 @@ class BansController < ApplicationController
   end
 
   def index
-    @bans = Ban.search(params[:search]).paginate(params[:page], :limit => params[:limit])
+    @bans = Ban.search(search_params).paginate(params[:page], :limit => params[:limit])
     respond_with(@bans) do |fmt|
       fmt.html { @bans = @bans.includes(:user, :banner) }
     end
@@ -23,7 +24,7 @@ class BansController < ApplicationController
   end
 
   def create
-    @ban = Ban.create(params[:ban])
+    @ban = Ban.create(ban_params(:create))
 
     if @ban.errors.any?
       render :action => "new"
@@ -34,7 +35,7 @@ class BansController < ApplicationController
 
   def update
     @ban = Ban.find(params[:id])
-    if @ban.update_attributes(params[:ban])
+    if @ban.update(ban_params(:update))
       redirect_to ban_path(@ban), :notice => "Ban updated"
     else
       render :action => "edit"
@@ -46,4 +47,13 @@ class BansController < ApplicationController
     @ban.destroy
     redirect_to bans_path, :notice => "Ban destroyed"
   end
+
+  private
+
+  def ban_params(context)
+    permitted_params = %i[reason duration expires_at]
+    permitted_params += %i[user_id user_name] if context == :create
+
+    params.require(:ban).permit(permitted_params)
+  end
 end

app/controllers/bulk_update_requests_controller.rb

@@ -1,8 +1,8 @@
 class BulkUpdateRequestsController < ApplicationController
   respond_to :html, :xml, :json, :js
-  before_filter :member_only, :except => [:index, :show]
+  before_action :member_only, :except => [:index, :show]
-  before_filter :admin_only, :only => [:approve]
+  before_action :admin_only, :only => [:approve]
-  before_filter :load_bulk_update_request, :except => [:new, :create, :index]
+  before_action :load_bulk_update_request, :except => [:new, :create, :index]
 
   def new
     @bulk_update_request = BulkUpdateRequest.new
@@ -47,7 +47,7 @@ class BulkUpdateRequestsController < ApplicationController
   end
 
   def index
-    @bulk_update_requests = BulkUpdateRequest.search(params[:search]).paginate(params[:page], :limit => params[:limit])
+    @bulk_update_requests = BulkUpdateRequest.search(search_params).paginate(params[:page], :limit => params[:limit])
     respond_with(@bulk_update_requests)
   end
 

app/controllers/comment_votes_controller.rb

@@ -1,7 +1,7 @@
 class CommentVotesController < ApplicationController
   respond_to :js, :json, :xml
-  before_filter :member_only
+  before_action :member_only
-  skip_before_filter :api_check
+  skip_before_action :api_check
 
   def create
     @comment = Comment.find(params[:comment_id])

app/controllers/comments_controller.rb

@@ -1,12 +1,12 @@
 class CommentsController < ApplicationController
   respond_to :html, :xml, :json
-  before_filter :member_only, :except => [:index, :search, :show]
+  before_action :member_only, :except => [:index, :search, :show]
-  skip_before_filter :api_check
+  skip_before_action :api_check
 
   def index
-    if params[:group_by] == "comment" || request.format == Mime::ATOM
+    if params[:group_by] == "comment" || request.format == Mime::Type.lookup("application/atom+xml")
       index_by_comment
-    elsif request.format == Mime::JS
+    elsif request.format == Mime::Type.lookup("text/javascript")
       index_for_post
     else
       index_by_post
@@ -23,15 +23,17 @@ class CommentsController < ApplicationController
   def update
     @comment = Comment.find(params[:id])
     check_privilege(@comment)
-    @comment.update(update_params, :as => CurrentUser.role)
+    @comment.update(comment_params(:update))
     respond_with(@comment, :location => post_path(@comment.post_id))
   end
 
   def create
-    @comment = Comment.create(create_params, :as => CurrentUser.role)
+    @comment = Comment.create(comment_params(:create))
     respond_with(@comment) do |format|
       format.html do
-        if @comment.errors.any?
+        if @comment.post.nil?
+          redirect_to comments_path, notice: @comment.errors.full_messages.join("; ")
+        elsif @comment.errors.any?
           redirect_to post_path(@comment.post), :notice => @comment.errors.full_messages.join("; ")
         else
           redirect_to post_path(@comment.post), :notice => "Comment posted"
@@ -88,7 +90,7 @@ private
   end
 
   def index_by_comment
-    @comments = Comment.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
+    @comments = Comment.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
     respond_with(@comments) do |format|
       format.atom do
         @comments = @comments.includes(:post, :creator).load
@@ -105,11 +107,12 @@ private
     end
   end
 
-  def create_params
+  def comment_params(context)
-    params.require(:comment).permit(:post_id, :body, :do_not_bump_post, :is_sticky)
+    permitted_params = %i[body]
-  end
+    permitted_params += %i[post_id do_not_bump_post] if context == :create
+    permitted_params += %i[is_deleted] if context == :update
+    permitted_params += %i[is_sticky] if CurrentUser.is_moderator?
 
-  def update_params
+    params.require(:comment).permit(permitted_params)
-    params.require(:comment).permit(:body, :is_deleted, :is_sticky)
   end
 end

app/controllers/delayed_jobs_controller.rb

@@ -1,6 +1,6 @@
 class DelayedJobsController < ApplicationController
   respond_to :html, :xml, :json, :js
-  before_filter :admin_only, except: [:index]
+  before_action :admin_only, except: [:index]
 
   def index
     @delayed_jobs = Delayed::Job.order("run_at asc").paginate(params[:page], :limit => params[:limit])
@@ -18,7 +18,7 @@ class DelayedJobsController < ApplicationController
   def retry
     @job = Delayed::Job.find(params[:id])
     if !@job.locked_at?
-      @job.update({failed_at: nil, attempts: 0}, without_protection: true)
+      @job.update(failed_at: nil, attempts: 0)
     end
     respond_with(@job)
   end

app/controllers/dmails_controller.rb

@@ -1,7 +1,7 @@
 class DmailsController < ApplicationController
   respond_to :html, :xml, :json
-  before_filter :member_only, except: [:index, :show, :destroy, :mark_all_as_read]
+  before_action :member_only, except: [:index, :show, :destroy, :mark_all_as_read]
-  before_filter :gold_only, only: [:ham, :spam]
+  before_action :gold_only, only: [:ham, :spam]
 
   def new
     if params[:respond_to_id]
@@ -19,7 +19,7 @@ class DmailsController < ApplicationController
     if params[:folder] && params[:set_default_folder]
       cookies.permanent[:dmail_folder] = params[:folder]
     end
-    @query = Dmail.active.visible.search(params[:search])
+    @query = Dmail.active.visible.search(search_params)
     @dmails = @query.paginate(params[:page], :limit => params[:limit])
     respond_with(@dmails) do |format|
       format.xml do

app/controllers/explore/posts_controller.rb

@@ -1,7 +1,7 @@
 module Explore
   class PostsController < ApplicationController
     respond_to :html, :xml, :json
-    before_filter :set_date, only: [:searches, :viewed]
+    before_action :set_date, only: [:searches, :viewed]
 
     def popular
       @post_set = PostSets::Popular.new(params[:date], params[:scale])

app/controllers/favorite_group_orders_controller.rb

@@ -1,6 +1,6 @@
 class FavoriteGroupOrdersController < ApplicationController
   respond_to :html, :xml, :json, :js
-  before_filter :member_only
+  before_action :member_only
 
   def edit
     @favorite_group = FavoriteGroup.find(params[:favorite_group_id])

app/controllers/favorite_groups_controller.rb

@@ -1,9 +1,9 @@
 class FavoriteGroupsController < ApplicationController
-  before_filter :member_only, :except => [:index, :show]
+  before_action :member_only, :except => [:index, :show]
   respond_to :html, :xml, :json, :js
 
   def index
-    @favorite_groups = FavoriteGroup.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
+    @favorite_groups = FavoriteGroup.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
     respond_with(@favorite_groups) do |format|
       format.xml do
         render :xml => @favorite_groups.to_xml(:root => "favorite-groups")
@@ -24,7 +24,7 @@ class FavoriteGroupsController < ApplicationController
   end
 
   def create
-    @favorite_group = FavoriteGroup.create(params[:favorite_group])
+    @favorite_group = FavoriteGroup.create(favgroup_params)
     respond_with(@favorite_group) do |format|
       format.html do
         if @favorite_group.errors.any?
@@ -45,7 +45,7 @@ class FavoriteGroupsController < ApplicationController
   def update
     @favorite_group = FavoriteGroup.find(params[:id])
     check_write_privilege(@favorite_group)
-    @favorite_group.update_attributes(params[:favorite_group])
+    @favorite_group.update(favgroup_params)
     unless @favorite_group.errors.any?
       flash[:notice] = "Favorite group updated"
     end
@@ -67,7 +67,8 @@ class FavoriteGroupsController < ApplicationController
     @favorite_group.add!(@post.id)
   end
 
-private
+  private
+
   def check_write_privilege(favgroup)
     raise User::PrivilegeError unless favgroup.editable_by?(CurrentUser.user)
   end
@@ -75,4 +76,8 @@ private
   def check_read_privilege(favgroup)
     raise User::PrivilegeError unless favgroup.viewable_by?(CurrentUser.user)
   end
+
+  def favgroup_params
+    params.fetch(:favorite_group, {}).permit(%i[name post_ids is_public])
+  end
 end

app/controllers/favorites_controller.rb

@@ -1,7 +1,7 @@
 class FavoritesController < ApplicationController
-  before_filter :member_only, except: [:index]
+  before_action :member_only, except: [:index]
   respond_to :html, :xml, :json
-  skip_before_filter :api_check
+  skip_before_action :api_check
 
   def index
     if params[:tags]

app/controllers/forum_posts_controller.rb

@@ -1,9 +1,9 @@
 class ForumPostsController < ApplicationController
   respond_to :html, :xml, :json, :js
-  before_filter :member_only, :except => [:index, :show, :search]
+  before_action :member_only, :except => [:index, :show, :search]
-  before_filter :load_post, :only => [:edit, :show, :update, :destroy, :undelete]
+  before_action :load_post, :only => [:edit, :show, :update, :destroy, :undelete]
-  before_filter :check_min_level, :only => [:edit, :show, :update, :destroy, :undelete]
+  before_action :check_min_level, :only => [:edit, :show, :update, :destroy, :undelete]
-  skip_before_filter :api_check
+  skip_before_action :api_check
   
   def new
     if params[:topic_id]
@@ -24,7 +24,7 @@ class ForumPostsController < ApplicationController
   end
 
   def index
-    @query = ForumPost.search(params[:search])
+    @query = ForumPost.search(search_params)
     @forum_posts = @query.includes(:topic).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
     respond_with(@forum_posts) do |format|
       format.xml do
@@ -45,14 +45,14 @@ class ForumPostsController < ApplicationController
   end
 
   def create
-    @forum_post = ForumPost.create(params[:forum_post])
+    @forum_post = ForumPost.create(forum_post_params(:create))
     page = @forum_post.topic.last_page if @forum_post.topic.last_page > 1
     respond_with(@forum_post, :location => forum_topic_path(@forum_post.topic, :page => page))
   end
 
   def update
     check_privilege(@forum_post)
-    @forum_post.update_attributes(params[:forum_post])
+    @forum_post.update(forum_post_params(:update))
     page = @forum_post.forum_topic_page if @forum_post.forum_topic_page > 1
     respond_with(@forum_post, :location => forum_topic_path(@forum_post.topic, :page => page, :anchor => "forum_post_#{@forum_post.id}"))
   end
@@ -84,11 +84,11 @@ private
         end
 
         fmt.json do
-          render :nothing => true, :status => 403
+          render json: nil, :status => 403
         end
 
         fmt.xml do
-          render :nothing => true, :status => 403
+          render xml: nil, :status => 403
         end
       end
 
@@ -101,4 +101,11 @@ private
       raise User::PrivilegeError
     end
   end
+
+  def forum_post_params(context)
+    permitted_params = [:body]
+    permitted_params += [:topic_id] if context == :create
+
+    params.require(:forum_post).permit(permitted_params)
+  end
 end

app/controllers/forum_topics_controller.rb

@@ -1,11 +1,11 @@
 class ForumTopicsController < ApplicationController
   respond_to :html, :xml, :json
-  before_filter :member_only, :except => [:index, :show]
+  before_action :member_only, :except => [:index, :show]
-  before_filter :moderator_only, :only => [:new_merge, :create_merge]
+  before_action :moderator_only, :only => [:new_merge, :create_merge]
-  before_filter :normalize_search, :only => :index
+  before_action :normalize_search, :only => :index
-  before_filter :load_topic, :only => [:edit, :show, :update, :destroy, :undelete, :new_merge, :create_merge, :subscribe, :unsubscribe]
+  before_action :load_topic, :only => [:edit, :show, :update, :destroy, :undelete, :new_merge, :create_merge, :subscribe, :unsubscribe]
-  before_filter :check_min_level, :only => [:show, :edit, :update, :new_merge, :create_merge, :destroy, :undelete, :subscribe, :unsubscribe]
+  before_action :check_min_level, :only => [:show, :edit, :update, :new_merge, :create_merge, :destroy, :undelete, :subscribe, :unsubscribe]
-  skip_before_filter :api_check
+  skip_before_action :api_check
 
   def new
     @forum_topic = ForumTopic.new
@@ -20,9 +20,9 @@ class ForumTopicsController < ApplicationController
 
   def index
     params[:search] ||= {}
-    params[:search][:order] ||= "sticky" if request.format == Mime::HTML
+    params[:search][:order] ||= "sticky" if request.format == Mime::Type.lookup("text/html")
 
-    @query = ForumTopic.active.search(params[:search])
+    @query = ForumTopic.active.search(search_params)
     @forum_topics = @query.paginate(params[:page], :limit => per_page, :search_count => params[:search])
 
     respond_with(@forum_topics) do |format|
@@ -42,7 +42,7 @@ class ForumTopicsController < ApplicationController
   end
 
   def show
-    if request.format == Mime::HTML
+    if request.format == Mime::Type.lookup("text/html")
       @forum_topic.mark_as_read!(CurrentUser.user)
     end
     @forum_posts = ForumPost.search(:topic_id => @forum_topic.id).reorder("forum_posts.id").paginate(params[:page])
@@ -54,13 +54,13 @@ class ForumTopicsController < ApplicationController
   end
 
   def create
-    @forum_topic = ForumTopic.create(params[:forum_topic], :as => CurrentUser.role)
+    @forum_topic = ForumTopic.create(forum_topic_params(:create))
     respond_with(@forum_topic)
   end
 
   def update
     check_privilege(@forum_topic)
-    @forum_topic.update_attributes(params[:forum_topic], :as => CurrentUser.role)
+    @forum_topic.update(forum_topic_params(:update))
     respond_with(@forum_topic)
   end
 
@@ -147,15 +147,22 @@ private
         end
 
         fmt.json do
-          render :nothing => true, :status => 403
+          render json: nil, :status => 403
         end
 
         fmt.xml do
-          render :nothing => true, :status => 403
+          render xml: nil, :status => 403
         end
       end
 
       return false
     end
   end
+
+  def forum_topic_params(context)
+    permitted_params = [:title, :category_id, { original_post_attributes: %i[id body] }]
+    permitted_params += %i[is_sticky is_locked min_level] if CurrentUser.is_moderator?
+
+    params.require(:forum_topic).permit(permitted_params)
+  end
 end

app/controllers/ip_bans_controller.rb

@@ -1,18 +1,18 @@
 class IpBansController < ApplicationController
-  respond_to :html, :xml, :json
+  respond_to :html, :xml, :json, :js
-  before_filter :moderator_only
+  before_action :moderator_only
 
   def new
     @ip_ban = IpBan.new
   end
 
   def create
-    @ip_ban = IpBan.create(params[:ip_ban])
+    @ip_ban = IpBan.create(ip_ban_params)
     respond_with(@ip_ban, :location => ip_bans_path)
   end
 
   def index
-    @search = IpBan.search(params[:search])
+    @search = IpBan.search(search_params)
     @ip_bans = @search.paginate(params[:page], :limit => params[:limit])
     respond_with(@ip_bans)
   end
@@ -22,4 +22,14 @@ class IpBansController < ApplicationController
     @ip_ban.destroy
     respond_with(@ip_ban)
   end
+
+  private
+
+  def ip_ban_params
+    params.fetch(:ip_ban, {}).permit(%i[ip_addr reason])
+  end
+
+  def search_params
+    params.fetch(:search, {}).permit(%i[ip_addr order])
+  end
 end

app/controllers/iqdb_queries_controller.rb

@@ -15,7 +15,7 @@ class IqdbQueriesController < ApplicationController
         fmt.js { render :layout => false, :action => "create_by_post" }
       end
     else
-      render :nothing => true, :status => 422
+      render plain: "", :status => 422
     end
   end
 

app/controllers/janitor_trials_controller.rb

@@ -1,6 +1,6 @@
 class JanitorTrialsController < ApplicationController
   respond_to :html, :xml, :json
-  before_filter :moderator_only, :only => [:create, :promote, :demote]
+  before_action :moderator_only, :only => [:create, :promote, :demote]
 
   def new
     @janitor_trial = JanitorTrial.new
@@ -13,12 +13,12 @@ class JanitorTrialsController < ApplicationController
   end
 
   def index
-    @janitor_trials = JanitorTrial.search(params[:search]).paginate(params[:page], :limit => params[:limit])
+    @janitor_trials = JanitorTrial.search(search_params).paginate(params[:page], :limit => params[:limit])
     respond_with(@janitor_trials)
   end
 
   def create
-    @janitor_trial = JanitorTrial.create(params[:janitor_trial])
+    @janitor_trial = JanitorTrial.create(janitor_trial_params)
     respond_with(@janitor_trial, :location => janitor_trials_path)
   end
 
@@ -41,4 +41,10 @@ class JanitorTrialsController < ApplicationController
   def test
     @tester = JanitorTrialTester.new(params[:janitor_trial][:user_name])
   end
+
+  private
+
+  def janitor_trial_params
+    params.require(:janitor_trial).permit(%i[user_id user_name])
+  end
 end

app/controllers/legacy_controller.rb

@@ -1,5 +1,5 @@
 class LegacyController < ApplicationController
-  before_filter :member_only, :only => [:create_post]
+  before_action :member_only, :only => [:create_post]
   respond_to :json, :xml
 
   def posts
@@ -40,7 +40,7 @@ class LegacyController < ApplicationController
   end
 
   def artists
-    @artists = Artist.limit(100).search(params[:search]).paginate(params[:page])
+    @artists = Artist.limit(100).search(search_params).paginate(params[:page])
   end
 
   def unavailable

app/controllers/maintenance/user/api_keys_controller.rb

@@ -1,8 +1,8 @@
 module Maintenance
   module User
     class ApiKeysController < ApplicationController
-      before_filter :check_privilege
+      before_action :check_privilege
-      before_filter :authenticate!, :except => [:show]
+      before_action :authenticate!, :except => [:show]
       rescue_from ::SessionLoader::AuthenticationFailure, :with => :authentication_failed
       respond_to :html, :json, :xml
 

app/controllers/maintenance/user/dmail_filters_controller.rb

@@ -1,7 +1,7 @@
 module Maintenance
   module User
     class DmailFiltersController < ApplicationController
-      before_filter :ensure_ownership
+      before_action :ensure_ownership
       respond_to :html, :json, :xml
 
       def edit
@@ -10,12 +10,12 @@ module Maintenance
 
       def update
         @dmail_filter = CurrentUser.dmail_filter || DmailFilter.new
-        @dmail_filter.update(params.require(:dmail_filter).permit(:words), :as => CurrentUser.role)
+        @dmail_filter.update(dmail_filter_params)
         flash[:notice] = "Filter updated"
         respond_with(@dmail)
       end
 
-    private
+      private
 
       def ensure_ownership
         @dmail = Dmail.find(params[:dmail_id])
@@ -24,6 +24,10 @@ module Maintenance
           raise User::PrivilegeError.new
         end
       end
+
+      def dmail_filter_params
+        params.require(:dmail_filter).permit(:words)
+      end
     end
   end
 end

app/controllers/maintenance/user/email_notifications_controller.rb

@@ -3,7 +3,7 @@ module Maintenance
     class EmailNotificationsController < ApplicationController
       class VerificationError < Exception ; end
 
-      before_filter :validate_sig, :only => [:destroy]
+      before_action :validate_sig, :only => [:destroy]
       rescue_from VerificationError, :with => :render_403
 
       def show
@@ -18,7 +18,7 @@ module Maintenance
     private
 
       def render_403
-        render :nothing => true, :status => 403
+        render plain: "", :status => 403
       end
 
       def validate_sig

app/controllers/maintenance/user/password_resets_controller.rb

@@ -6,7 +6,7 @@ module Maintenance
       end
 
       def create
-        @nonce = UserPasswordResetNonce.create(params[:nonce])
+        @nonce = UserPasswordResetNonce.create(nonce_params)
         if @nonce.errors.any?
           redirect_to new_maintenance_user_password_reset_path, :notice => @nonce.errors.full_messages.join("; ")
         else
@@ -29,6 +29,10 @@ module Maintenance
           redirect_to new_maintenance_user_password_reset_path, :notice => "Invalid key"
         end
       end
+
+      def nonce_params
+        params.fetch(:nonce, {}).permit([:email])
+      end
     end
   end
 end

app/controllers/mod_actions_controller.rb

@@ -2,7 +2,7 @@ class ModActionsController < ApplicationController
   respond_to :html, :xml, :json
 
   def index
-    @mod_actions = ModAction.search(params[:search]).paginate(params[:page], :limit => params[:limit])
+    @mod_actions = ModAction.search(search_params).paginate(params[:page], :limit => params[:limit])
     respond_with(@mod_actions)
   end
 end

app/controllers/moderator/bulk_reverts_controller.rb

@@ -1,7 +1,7 @@
 module Moderator
   class BulkRevertsController < ApplicationController
-    before_filter :moderator_only
+    before_action :moderator_only
-    before_filter :init_constraints
+    before_action :init_constraints
     helper PostVersionsHelper
     rescue_from BulkRevert::ConstraintTooGeneralError, :with => :tag_constraint_too_general
 

app/controllers/moderator/dashboards_controller.rb

@@ -1,6 +1,6 @@
 module Moderator
   class DashboardsController < ApplicationController
-    before_filter :member_only
+    before_action :member_only
     helper :post_flags, :post_appeals
 
     def show

app/controllers/moderator/invitations_controller.rb

@@ -1,6 +1,6 @@
 module Moderator
   class InvitationsController < ApplicationController
-    before_filter :moderator_only
+    before_action :moderator_only
 
     def new
     end

app/controllers/moderator/ip_addrs_controller.rb

@@ -1,6 +1,6 @@
 module Moderator
   class IpAddrsController < ApplicationController
-    before_filter :moderator_only
+    before_action :moderator_only
 
     def index
       @search = IpAddrSearch.new(params[:search])

app/controllers/moderator/post/approvals_controller.rb

@@ -1,8 +1,8 @@
 module Moderator
   module Post
     class ApprovalsController < ApplicationController
-      before_filter :approver_only
+      before_action :approver_only
-      skip_before_filter :api_check
+      skip_before_action :api_check
       respond_to :json, :xml, :js
 
       def create

app/controllers/moderator/post/disapprovals_controller.rb

@@ -1,13 +1,20 @@
 module Moderator
   module Post
     class DisapprovalsController < ApplicationController
-      before_filter :approver_only
+      before_action :approver_only
-      skip_before_filter :api_check
+      skip_before_action :api_check
+      respond_to :js, :json, :xml
 
       def create
         cookies.permanent[:moderated] = Time.now.to_i
-        @post = ::Post.find(params[:post_id])
+        @post_disapproval = PostDisapproval.create(post_disapproval_params)
-        @post_disapproval = PostDisapproval.create(:post => @post, :user => CurrentUser.user, :reason => params[:reason] || "disinterest", :message => params[:message])
+        respond_with(@post_disapproval)
+      end
+
+      private
+
+      def post_disapproval_params
+        params.require(:post_disapproval).permit(%i[post_id reason message])
       end
     end
   end

app/controllers/moderator/post/posts_controller.rb

@@ -1,9 +1,9 @@
 module Moderator
   module Post
     class PostsController < ApplicationController
-      before_filter :approver_only, :only => [:delete, :undelete, :move_favorites, :ban, :unban, :confirm_delete, :confirm_move_favorites, :confirm_ban]
+      before_action :approver_only, :only => [:delete, :undelete, :move_favorites, :ban, :unban, :confirm_delete, :confirm_move_favorites, :confirm_ban]
-      before_filter :admin_only, :only => [:expunge]
+      before_action :admin_only, :only => [:expunge]
-      skip_before_filter :api_check
+      skip_before_action :api_check
 
       respond_to :html, :json, :xml
 

app/controllers/moderator/post/queues_controller.rb

@@ -4,8 +4,8 @@ module Moderator
       RANDOM_COUNT = 12
       
       respond_to :html, :json
-      before_filter :approver_only
+      before_action :approver_only
-      skip_before_filter :api_check
+      skip_before_action :api_check
 
       def show
         cookies.permanent[:moderated] = Time.now.to_i

app/controllers/moderator/tags_controller.rb

@@ -1,6 +1,6 @@
 module Moderator
   class TagsController < ApplicationController
-    before_filter :moderator_only
+    before_action :moderator_only
     rescue_from TagBatchChange::Error, :with => :error
 
     def edit

app/controllers/news_updates_controller.rb

@@ -1,5 +1,5 @@
 class NewsUpdatesController < ApplicationController
-  before_filter :admin_only
+  before_action :admin_only
   respond_to :html
 
   def index
@@ -14,7 +14,7 @@ class NewsUpdatesController < ApplicationController
 
   def update
     @news_update = NewsUpdate.find(params[:id])
-    @news_update.update_attributes(params[:news_update])
+    @news_update.update(news_update_params)
     respond_with(@news_update, :location => news_updates_path)
   end
 
@@ -24,7 +24,7 @@ class NewsUpdatesController < ApplicationController
   end
 
   def create
-    @news_update = NewsUpdate.create(params[:news_update])
+    @news_update = NewsUpdate.create(news_update_params)
     respond_with(@news_update, :location => news_updates_path)
   end
 
@@ -35,4 +35,10 @@ class NewsUpdatesController < ApplicationController
       format.js
     end
   end
+
+  private
+
+  def news_update_params
+    params.require(:news_update).permit([:message])
+  end
 end

app/controllers/note_versions_controller.rb

@@ -2,7 +2,7 @@ class NoteVersionsController < ApplicationController
   respond_to :html, :xml, :json
 
   def index
-    @note_versions = NoteVersion.search(params[:search]).paginate(params[:page], :limit => params[:limit])
+    @note_versions = NoteVersion.search(search_params).paginate(params[:page], :limit => params[:limit])
     respond_with(@note_versions) do |format|
       format.html { @note_versions = @note_versions.includes(:updater) }
       format.xml do

app/controllers/notes_controller.rb

@@ -1,12 +1,12 @@
 class NotesController < ApplicationController
   respond_to :html, :xml, :json, :js
-  before_filter :member_only, :except => [:index, :show, :search]
+  before_action :member_only, :except => [:index, :show, :search]
 
   def search
   end
 
   def index
-    @notes = Note.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
+    @notes = Note.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
     respond_with(@notes) do |format|
       format.html { @notes = @notes.includes(:creator) }
       format.xml do
@@ -23,7 +23,7 @@ class NotesController < ApplicationController
   end
 
   def create
-    @note = Note.create(create_params)
+    @note = Note.create(note_params(:create))
     respond_with(@note) do |fmt|
       fmt.json do
         if @note.errors.any?
@@ -37,7 +37,7 @@ class NotesController < ApplicationController
 
   def update
     @note = Note.find(params[:id])
-    @note.update_attributes(update_params)
+    @note.update(note_params(:update))
     respond_with(@note) do |format|
       format.json do
         if @note.errors.any?
@@ -62,12 +62,12 @@ class NotesController < ApplicationController
     respond_with(@note)
   end
 
-private
+  private
-  def update_params
-    params.require(:note).permit(:x, :y, :width, :height, :body)
-  end
 
-  def create_params
+  def note_params(context)
-    params.require(:note).permit(:x, :y, :width, :height, :body, :post_id, :html_id)
+    permitted_params = %i[x y width height body]
+    permitted_params += %i[post_id html_id] if context == :create
+
+    params.require(:note).permit(permitted_params)
   end
 end

app/controllers/pool_elements_controller.rb

@@ -1,6 +1,6 @@
 class PoolElementsController < ApplicationController
   respond_to :html, :xml, :json, :js
-  before_filter :member_only
+  before_action :member_only
 
   def create
     @pool = Pool.find_by_name(params[:pool_name]) || Pool.find_by_id(params[:pool_id])

app/controllers/pool_orders_controller.rb

@@ -1,6 +1,6 @@
 class PoolOrdersController < ApplicationController
   respond_to :html, :xml, :json, :js
-  before_filter :member_only
+  before_action :member_only
 
   def edit
     @pool = Pool.find(params[:pool_id])

app/controllers/pool_versions_controller.rb

@@ -1,13 +1,13 @@
 class PoolVersionsController < ApplicationController
   respond_to :html, :xml, :json
-  before_filter :check_availabililty
+  before_action :check_availabililty
 
   def index
     if params[:search] && params[:search][:pool_id].present?
       @pool = Pool.find(params[:search][:pool_id])
     end
 
-    @pool_versions = PoolArchive.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
+    @pool_versions = PoolArchive.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
     respond_with(@pool_versions) do |format|
       format.xml do
         render :xml => @pool_versions.to_xml(:root => "pool-versions")

app/controllers/pools_controller.rb

@@ -1,7 +1,7 @@
 class PoolsController < ApplicationController
   respond_to :html, :xml, :json, :js
-  before_filter :member_only, :except => [:index, :show, :gallery]
+  before_action :member_only, :except => [:index, :show, :gallery]
-  before_filter :builder_only, :only => [:destroy]
+  before_action :builder_only, :only => [:destroy]
 
   def new
     @pool = Pool.new
@@ -17,7 +17,7 @@ class PoolsController < ApplicationController
   end
 
   def index
-    @pools = Pool.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
+    @pools = Pool.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
     respond_with(@pools) do |format|
       format.xml do
         render :xml => @pools.to_xml(:root => "pools")
@@ -27,7 +27,7 @@ class PoolsController < ApplicationController
 
   def gallery
     limit = params[:limit] || CurrentUser.user.per_page
-    @pools = Pool.series.search(params[:search]).reorder("updated_at desc").paginate(params[:page], :limit => limit, :search_count => params[:search])
+    @pools = Pool.series.search(search_params).reorder("updated_at desc").paginate(params[:page], :limit => limit, :search_count => params[:search])
     @post_set = PostSets::PoolGallery.new(@pools)
   end
 
@@ -38,7 +38,7 @@ class PoolsController < ApplicationController
   end
 
   def create
-    @pool = Pool.create(params[:pool])
+    @pool = Pool.create(pool_params)
     flash[:notice] = @pool.valid? ? "Pool created" : @pool.errors.full_messages.join("; ")
     respond_with(@pool)
   end
@@ -46,7 +46,7 @@ class PoolsController < ApplicationController
   def update
     # need to do this in order for synchronize! to work correctly
     @pool = Pool.find(params[:id])
-    @pool.attributes = params[:pool]
+    @pool.attributes = pool_params
     @pool.synchronize
     @pool.save
     unless @pool.errors.any?
@@ -86,4 +86,11 @@ class PoolsController < ApplicationController
       format.js
     end
   end
+
+  private
+
+  def pool_params
+    permitted_params = %i[name description category is_active post_ids]
+    params.require(:pool).permit(permitted_params)
+  end
 end

app/controllers/post_appeals_controller.rb

@@ -1,5 +1,5 @@
 class PostAppealsController < ApplicationController
-  before_filter :member_only, :except => [:index, :show]
+  before_action :member_only, :except => [:index, :show]
   respond_to :html, :xml, :json, :js
 
   def new
@@ -8,7 +8,7 @@ class PostAppealsController < ApplicationController
   end
 
   def index
-    @post_appeals = PostAppeal.includes(:creator).search(params[:search]).includes(post: [:appeals, :uploader, :approver])
+    @post_appeals = PostAppeal.includes(:creator).search(search_params).includes(post: [:appeals, :uploader, :approver])
     @post_appeals = @post_appeals.paginate(params[:page], limit: params[:limit])
     respond_with(@post_appeals) do |format|
       format.xml do
@@ -18,7 +18,7 @@ class PostAppealsController < ApplicationController
   end
 
   def create
-    @post_appeal = PostAppeal.create(params[:post_appeal])
+    @post_appeal = PostAppeal.create(post_appeal_params)
     respond_with(@post_appeal)
   end
 
@@ -26,4 +26,10 @@ class PostAppealsController < ApplicationController
     @post_appeal = PostAppeal.find(params[:id])
     respond_with(@post_appeal)
   end
+
+  private
+
+  def post_appeal_params
+    params.fetch(:post_appeal, {}).permit(%i[post_id reason])
+  end
 end

app/controllers/post_flags_controller.rb

@@ -1,5 +1,5 @@
 class PostFlagsController < ApplicationController
-  before_filter :member_only, :except => [:index, :show]
+  before_action :member_only, :except => [:index, :show]
   respond_to :html, :xml, :json, :js
 
   def new
@@ -8,7 +8,7 @@ class PostFlagsController < ApplicationController
   end
 
   def index
-    @post_flags = PostFlag.search(params[:search]).includes(:creator, post: [:flags, :uploader, :approver])
+    @post_flags = PostFlag.search(search_params).includes(:creator, post: [:flags, :uploader, :approver])
     @post_flags = @post_flags.paginate(params[:page], limit: params[:limit])
     respond_with(@post_flags) do |format|
       format.xml do
@@ -18,7 +18,7 @@ class PostFlagsController < ApplicationController
   end
 
   def create
-    @post_flag = PostFlag.create(params[:post_flag].merge(:is_resolved => false))
+    @post_flag = PostFlag.create(post_flag_params)
     respond_with(@post_flag)
   end
 
@@ -26,4 +26,10 @@ class PostFlagsController < ApplicationController
     @post_flag = PostFlag.find(params[:id])
     respond_with(@post_flag)
   end
+
+  private
+
+  def post_flag_params
+    params.require(:post_flag).permit(%i[post_id reason])
+  end
 end

app/controllers/post_replacements_controller.rb

@@ -1,6 +1,6 @@
 class PostReplacementsController < ApplicationController
   respond_to :html, :xml, :json
-  before_filter :moderator_only, except: [:index]
+  before_action :moderator_only, except: [:index]
 
   def new
     @post = Post.find(params[:post_id])
@@ -23,7 +23,7 @@ class PostReplacementsController < ApplicationController
 
   def index
     params[:search][:post_id] = params.delete(:post_id) if params.has_key?(:post_id)
-    @post_replacements = PostReplacement.search(params[:search]).paginate(params[:page], limit: params[:limit])
+    @post_replacements = PostReplacement.search(search_params).paginate(params[:page], limit: params[:limit])
 
     respond_with(@post_replacements)
   end

app/controllers/post_versions_controller.rb

@@ -1,10 +1,10 @@
 class PostVersionsController < ApplicationController
-  before_filter :member_only
+  before_action :member_only
-  before_filter :check_availabililty
+  before_action :check_availabililty
   respond_to :html, :xml, :json
 
   def index
-    @post_versions = PostArchive.includes(:updater, post: [:versions]).search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
+    @post_versions = PostArchive.includes(:updater, post: [:versions]).search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
     respond_with(@post_versions) do |format|
       format.xml do
         render :xml => @post_versions.to_xml(:root => "post-versions")

app/controllers/post_votes_controller.rb

@@ -1,6 +1,6 @@
 class PostVotesController < ApplicationController
-  before_filter :voter_only
+  before_action :voter_only
-  skip_before_filter :api_check
+  skip_before_action :api_check
 
   def create
     @post = Post.find(params[:post_id])

app/controllers/posts_controller.rb

@@ -1,6 +1,6 @@
 class PostsController < ApplicationController
-  before_filter :member_only, :except => [:show, :show_seq, :index, :home, :random]
+  before_action :member_only, :except => [:show, :show_seq, :index, :home, :random]
-  before_filter :builder_only, :only => [:copy_notes]
+  before_action :builder_only, :only => [:copy_notes]
   respond_to :html, :xml, :json
 
   def index
@@ -46,10 +46,7 @@ class PostsController < ApplicationController
   def update
     @post = Post.find(params[:id])
 
-    if @post.visible?
+    @post.update(post_params) if @post.visible?
-      @post.update_attributes(params[:post], :as => CurrentUser.role)
-    end
-
     save_recent_tags
     respond_with_post_after_update(@post)
   end
@@ -131,4 +128,18 @@ private
       end
     end
   end
+
+  def post_params
+    permitted_params = %i[
+      tag_string old_tag_string
+      parent_id old_parent_id
+      source old_source
+      rating old_rating
+      has_embedded_notes
+    ]
+    permitted_params += %i[is_rating_locked is_note_locked] if CurrentUser.is_builder?
+    permitted_params += %i[is_status_locked] if CurrentUser.is_admin?
+
+    params.require(:post).permit(permitted_params)
+  end
 end

app/controllers/related_tags_controller.rb

@@ -1,7 +1,7 @@
 class RelatedTagsController < ApplicationController
   respond_to :json
   respond_to :html, :only=>[:show]
-  before_filter :require_reportbooru_key, only: [:update]
+  before_action :require_reportbooru_key, only: [:update]
 
   def show
     @query = RelatedTagQuery.new(params[:query].to_s.downcase, params[:category])

app/controllers/reports_controller.rb

@@ -1,7 +1,7 @@
 class ReportsController < ApplicationController
-  before_filter :member_only, :except => [:upload_tags]
+  before_action :member_only, :except => [:upload_tags]
-  before_filter :gold_only, :only => [:similar_users]
+  before_action :gold_only, :only => [:similar_users]
-  before_filter :moderator_only, :only => [:post_versions, :post_versions_create, :down_voting_post_report, :down_voting_post_report_create]
+  before_action :moderator_only, :only => [:post_versions, :post_versions_create, :down_voting_post_report, :down_voting_post_report_create]
 
   def uploads
     @report = Reports::Uploads.new(params[:min_date], params[:max_date], params[:queries])

app/controllers/saved_searches_controller.rb

@@ -1,5 +1,5 @@
 class SavedSearchesController < ApplicationController
-  before_filter :check_availability
+  before_action :check_availability
   respond_to :html, :xml, :json, :js
   
   def index
@@ -22,11 +22,7 @@ class SavedSearchesController < ApplicationController
   end
 
   def create
-    @saved_search = saved_searches.create!(:query => params[:saved_search_tags], :label_string => params[:saved_search_labels])
+    @saved_search = saved_searches.create(saved_search_params)
-    if params[:saved_search_disable_labels]
-      CurrentUser.disable_categorized_saved_searches = true
-      CurrentUser.save
-    end
     respond_with(@saved_search)
   end
 
@@ -42,11 +38,12 @@ class SavedSearchesController < ApplicationController
 
   def update
     @saved_search = saved_searches.find(params[:id])
-    @saved_search.update_attributes(params[:saved_search])
+    @saved_search.update(saved_search_params)
     respond_with(@saved_search, :location => saved_searches_path)
   end
 
-private
+  private
+
   def saved_searches
     CurrentUser.user.saved_searches
   end
@@ -56,4 +53,8 @@ private
       raise NotImplementedError.new("Listbooru service is not configured. Saved searches are not available.")
     end
   end
+
+  def saved_search_params
+    params.require(:saved_search).permit(%i[query label_string disable_labels])
+  end
 end

app/controllers/tag_alias_corrections_controller.rb

@@ -1,5 +1,5 @@
 class TagAliasCorrectionsController < ApplicationController
-  before_filter :builder_only
+  before_action :builder_only
 
   def create
     @correction = TagAliasCorrection.new(params[:tag_alias_id])

app/controllers/tag_alias_requests_controller.rb

@@ -1,11 +1,11 @@
 class TagAliasRequestsController < ApplicationController
-  before_filter :member_only
+  before_action :member_only
 
   def new
   end
 
   def create
-    @tag_alias_request = TagAliasRequest.new(params[:tag_alias_request])
+    @tag_alias_request = TagAliasRequest.new(tar_params)
     @tag_alias_request.create
 
     if @tag_alias_request.invalid?
@@ -14,4 +14,10 @@ class TagAliasRequestsController < ApplicationController
       redirect_to forum_topic_path(@tag_alias_request.forum_topic)
     end
   end
+
+private
+  
+  def tar_params
+    params.require(:tag_alias_request).permit(:antecedent_name, :consequent_name, :reason, :skip_secondary_validations)
+  end
 end

app/controllers/tag_aliases_controller.rb

@@ -1,5 +1,5 @@
 class TagAliasesController < ApplicationController
-  before_filter :admin_only, :only => [:approve, :new, :create]
+  before_action :admin_only, :only => [:approve, :new, :create]
   respond_to :html, :xml, :json, :js
 
   def show
@@ -15,14 +15,14 @@ class TagAliasesController < ApplicationController
     @tag_alias = TagAlias.find(params[:id])
 
     if @tag_alias.is_pending? && @tag_alias.editable_by?(CurrentUser.user)
-      @tag_alias.update_attributes(update_params)
+      @tag_alias.update(tag_alias_params)
     end
 
     respond_with(@tag_alias)
   end
 
   def index
-    @tag_aliases = TagAlias.search(params[:search]).paginate(params[:page], :limit => params[:limit])
+    @tag_aliases = TagAlias.search(search_params).paginate(params[:page], :limit => params[:limit])
     respond_with(@tag_aliases) do |format|
       format.xml do
         render :xml => @tag_aliases.to_xml(:root => "tag-aliases")
@@ -48,7 +48,7 @@ class TagAliasesController < ApplicationController
 
 private
 
-  def update_params
+  def tag_alias_params
-    params.require(:tag_alias).permit(:antecedent_name, :consequent_name, :forum_topic_id)
+    params.require(:tag_alias).permit(%i[antecedent_name consequent_name forum_topic_id skip_secondary_validations])
   end
 end

app/controllers/tag_corrections_controller.rb

@@ -1,5 +1,5 @@
 class TagCorrectionsController < ApplicationController
-  before_filter :builder_only
+  before_action :builder_only
 
   def new
     @correction = TagCorrection.new(params[:tag_id])

app/controllers/tag_implication_requests_controller.rb

@@ -1,11 +1,11 @@
 class TagImplicationRequestsController < ApplicationController
-  before_filter :member_only
+  before_action :member_only
 
   def new
   end
 
   def create
-    @tag_implication_request = TagImplicationRequest.new(params[:tag_implication_request])
+    @tag_implication_request = TagImplicationRequest.new(tir_params)
     @tag_implication_request.create
 
     if @tag_implication_request.invalid?
@@ -14,4 +14,10 @@ class TagImplicationRequestsController < ApplicationController
       redirect_to forum_topic_path(@tag_implication_request.forum_topic)
     end
   end
+
+private
+
+  def tir_params
+    params.require(:tag_implication_request).permit(:antecedent_name, :consequent_name, :reason, :skip_secondary_validations)
+  end
 end

app/controllers/tag_implications_controller.rb

@@ -1,5 +1,5 @@
 class TagImplicationsController < ApplicationController
-  before_filter :admin_only, :only => [:new, :create, :approve]
+  before_action :admin_only, :only => [:new, :create, :approve]
   respond_to :html, :xml, :json, :js
 
   def show
@@ -15,14 +15,14 @@ class TagImplicationsController < ApplicationController
     @tag_implication = TagImplication.find(params[:id])
 
     if @tag_implication.is_pending? && @tag_implication.editable_by?(CurrentUser.user)
-      @tag_implication.update_attributes(update_params)
+      @tag_implication.update(tag_implication_params)
     end
 
     respond_with(@tag_implication)
   end
 
   def index
-    @tag_implications = TagImplication.search(params[:search]).paginate(params[:page], :limit => params[:limit])
+    @tag_implications = TagImplication.search(search_params).paginate(params[:page], :limit => params[:limit])
     respond_with(@tag_implications) do |format|
       format.xml do
         render :xml => @tag_implications.to_xml(:root => "tag-implications")
@@ -53,7 +53,7 @@ class TagImplicationsController < ApplicationController
 
 private
 
-  def update_params
+  def tag_implication_params
-    params.require(:tag_implication).permit(:antecedent_name, :consequent_name, :forum_topic_id)
+    params.require(:tag_implication).permit(%i[antecedent_name consequent_name forum_topic_id skip_secondary_validations])
   end
 end

app/controllers/tags_controller.rb

@@ -1,5 +1,5 @@
 class TagsController < ApplicationController
-  before_filter :member_only, :only => [:edit, :update]
+  before_action :member_only, :only => [:edit, :update]
   respond_to :html, :xml, :json
 
   def edit
@@ -9,7 +9,7 @@ class TagsController < ApplicationController
   end
 
   def index
-    @tags = Tag.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
+    @tags = Tag.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
     respond_with(@tags) do |format|
       format.xml do
         render :xml => @tags.to_xml(:root => "tags")
@@ -35,7 +35,7 @@ class TagsController < ApplicationController
   def update
     @tag = Tag.find(params[:id])
     check_privilege(@tag)
-    @tag.update_attributes(params[:tag], :as => CurrentUser.role)
+    @tag.update(tag_params)
     respond_with(@tag)
   end
 
@@ -43,4 +43,11 @@ private
   def check_privilege(tag)
     raise User::PrivilegeError unless tag.editable_by?(CurrentUser.user)
   end
+
+  def tag_params
+    permitted_params = [:category]
+    permitted_params << :is_locked if CurrentUser.is_moderator?
+
+    params.require(:tag).permit(permitted_params)
+  end
 end

app/controllers/uploads_controller.rb

@@ -1,5 +1,5 @@
 class UploadsController < ApplicationController
-  before_filter :member_only, except: [:index, :show]
+  before_action :member_only, except: [:index, :show]
   respond_to :html, :xml, :json, :js
 
   def new
@@ -31,7 +31,7 @@ class UploadsController < ApplicationController
   end
 
   def index
-    @search = Upload.search(params[:search])
+    @search = Upload.search(search_params)
     @uploads = @search.paginate(params[:page], :limit => params[:limit])
     respond_with(@uploads) do |format|
       format.xml do
@@ -52,7 +52,7 @@ class UploadsController < ApplicationController
   end
 
   def create
-    @upload = Upload.create(params[:upload].merge(:server => Socket.gethostname))
+    @upload = Upload.create(upload_params)
 
     if @upload.errors.empty?
       post = @upload.process!
@@ -72,7 +72,8 @@ class UploadsController < ApplicationController
     respond_with(@upload)
   end
 
-protected
+  private
+
   def find_post_by_url(normalized_url)
     if normalized_url.nil?
       Post.where("SourcePattern(lower(posts.source)) = ?", params[:url]).first
@@ -89,4 +90,14 @@ protected
       cookies[:recent_tags_with_categories] = Tag.categories_for(tags).to_a.flatten.join(" ")
     end
   end
+
+  def upload_params
+    permitted_params = %i[
+      file source tag_string rating status parent_id artist_commentary_title
+      artist_commentary_desc include_artist_commentary referer_url
+      md5_confirmation as_pending 
+    ]
+
+    params.require(:upload).permit(permitted_params)
+  end
 end

app/controllers/user_feedbacks_controller.rb

@@ -1,9 +1,9 @@
 class UserFeedbacksController < ApplicationController
-  before_filter :gold_only, :only => [:new, :edit, :create, :update, :destroy]
+  before_action :gold_only, :only => [:new, :edit, :create, :update, :destroy]
   respond_to :html, :xml, :json
 
   def new
-    @user_feedback = UserFeedback.new(params[:user_feedback])
+    @user_feedback = UserFeedback.new(user_feedback_params(:create))
     respond_with(@user_feedback)
   end
 
@@ -19,7 +19,7 @@ class UserFeedbacksController < ApplicationController
   end
 
   def index
-    @search = UserFeedback.visible.search(params[:search])
+    @search = UserFeedback.visible.search(search_params)
     @user_feedbacks = @search.paginate(params[:page], :limit => params[:limit])
     respond_with(@user_feedbacks) do |format|
       format.xml do
@@ -29,14 +29,14 @@ class UserFeedbacksController < ApplicationController
   end
 
   def create
-    @user_feedback = UserFeedback.create(params[:user_feedback])
+    @user_feedback = UserFeedback.create(user_feedback_params(:create))
     respond_with(@user_feedback)
   end
 
   def update
     @user_feedback = UserFeedback.visible.find(params[:id])
     check_privilege(@user_feedback)
-    @user_feedback.update_attributes(params[:user_feedback])
+    @user_feedback.update(user_feedback_params(:update))
     respond_with(@user_feedback)
   end
 
@@ -47,8 +47,16 @@ class UserFeedbacksController < ApplicationController
     respond_with(@user_feedback)
   end
 
-private
+  private
+
   def check_privilege(user_feedback)
     raise User::PrivilegeError unless user_feedback.editable_by?(CurrentUser.user)
   end
+
+  def user_feedback_params(context)
+    permitted_params = %i[body category]
+    permitted_params += %i[user_id user_name] if context == :create
+
+    params.require(:user_feedback).permit(permitted_params)
+  end
 end

app/controllers/user_name_change_requests_controller.rb

@@ -1,20 +1,16 @@
 class UserNameChangeRequestsController < ApplicationController
-  before_filter :member_only, :only => [:index, :show]
+  before_action :member_only, :only => [:index, :show]
-  before_filter :gold_only, :only => [:new, :create]
+  before_action :gold_only, :only => [:new, :create]
-  before_filter :admin_only, :only => [:approve, :reject]
+  before_action :admin_only, :only => [:approve, :reject]
   respond_to :html, :json, :xml
 
   def new
+    @change_request = UserNameChangeRequest.new(change_request_params)
+    respond_with(@change_request)
   end
   
   def create
-    @change_request = UserNameChangeRequest.create(
+    @change_request = UserNameChangeRequest.create(change_request_params)
-      :user_id => CurrentUser.user.id,
-      :original_name => CurrentUser.user.name,
-      :status => "pending",
-      :change_reason => params[:reason],
-      :desired_name => params[:desired_name]
-    )
     
     if @change_request.errors.any?
       render :action => "new"
@@ -47,9 +43,14 @@ class UserNameChangeRequestsController < ApplicationController
     redirect_to user_name_change_request_path(@change_request), :notice => "Name change request rejected"
   end
 
-private
+  private
+
   def check_privileges!(change_request)
     return if CurrentUser.is_admin?
     raise User::PrivilegeError if change_request.user_id != CurrentUser.user.id
   end
+
+  def change_request_params
+    params.fetch(:user_name_change_request, {}).permit(%i[desired_name change_reason])
+  end
 end

app/controllers/user_reverts_controller.rb

@@ -1,5 +1,5 @@
 class UserRevertsController < ApplicationController
-  before_filter :moderator_only
+  before_action :moderator_only
 
   def new
     @user = User.find(params[:user_id])

app/controllers/user_upgrades_controller.rb

@@ -1,5 +1,5 @@
 class UserUpgradesController < ApplicationController
-  before_filter :member_only, :only => [:new, :show]
+  before_action :member_only, :only => [:new, :show]
   helper_method :user
   force_ssl :if => :ssl_enabled?
   skip_before_action :verify_authenticity_token, only: [:create]

app/controllers/users_controller.rb

@@ -1,6 +1,6 @@
 class UsersController < ApplicationController
   respond_to :html, :xml, :json
-  skip_before_filter :api_check
+  skip_before_action :api_check
 
   def new
     @user = User.new
@@ -22,7 +22,7 @@ class UsersController < ApplicationController
         redirect_to user_path(@user)
       end
     else
-      @users = User.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
+      @users = User.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
       respond_with(@users) do |format|
         format.xml do
           render :xml => @users.to_xml(:root => "users")
@@ -41,8 +41,7 @@ class UsersController < ApplicationController
   end
 
   def create
-    @user = User.new(params[:user], :as => CurrentUser.role)
+    @user = User.new(user_params(:create))
-    @user.last_ip_addr = request.remote_ip
     if !Danbooru.config.enable_recaptcha? || verify_recaptcha(model: @user)
       @user.save
       if @user.errors.empty?
@@ -61,7 +60,7 @@ class UsersController < ApplicationController
   def update
     @user = User.find(params[:id])
     check_privilege(@user)
-    @user.update_attributes(params[:user].except(:name), :as => CurrentUser.role)
+    @user.update(user_params(:update))
     cookies.delete(:favorite_tags)
     cookies.delete(:favorite_tags_with_categories)
     if @user.errors.any?
@@ -75,12 +74,34 @@ class UsersController < ApplicationController
   def cache
     @user = User.find(params[:id])
     @user.update_cache
-    render :nothing => true
+    render plain: ""
   end
 
-private
+  private
 
   def check_privilege(user)
     raise User::PrivilegeError unless (user.id == CurrentUser.id || CurrentUser.is_admin?)
   end
+
+  def user_params(context)
+    permitted_params = %i[
+      password old_password password_confirmation email
+      comment_threshold default_image_size favorite_tags blacklisted_tags
+      time_zone per_page custom_style
+
+      receive_email_notifications always_resize_images enable_post_navigation
+      new_post_navigation_layout enable_privacy_mode
+      enable_sequential_post_navigation hide_deleted_posts style_usernames
+      enable_auto_complete show_deleted_children
+      disable_categorized_saved_searches disable_tagged_filenames
+      enable_recent_searches disable_cropped_thumbnails disable_mobile_gestures
+      enable_safe_mode disable_responsive_mode
+    ]
+
+    permitted_params += [dmail_filter_attributes: %i[id words]]
+    permitted_params << :name if context == :create
+    permitted_params << :level if CurrentUser.is_admin?
+
+    params.require(:user).permit(permitted_params)
+  end
 end

app/controllers/wiki_page_versions_controller.rb

@@ -2,7 +2,7 @@ class WikiPageVersionsController < ApplicationController
   respond_to :html, :xml, :json
 
   def index
-    @wiki_page_versions = WikiPageVersion.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
+    @wiki_page_versions = WikiPageVersion.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
     respond_with(@wiki_page_versions) do |format|
       format.xml do
         render :xml => @wiki_page_versions.to_xml(:root => "wiki-page-versions")

app/controllers/wiki_pages_controller.rb

@@ -1,11 +1,11 @@
 class WikiPagesController < ApplicationController
   respond_to :html, :xml, :json, :js
-  before_filter :member_only, :except => [:index, :search, :show, :show_or_new]
+  before_action :member_only, :except => [:index, :search, :show, :show_or_new]
-  before_filter :builder_only, :only => [:destroy]
+  before_action :builder_only, :only => [:destroy]
-  before_filter :normalize_search_params, :only => [:index]
+  before_action :normalize_search_params, :only => [:index]
   
   def new
-    @wiki_page = WikiPage.new(params[:wiki_page])
+    @wiki_page = WikiPage.new(wiki_page_params)
     respond_with(@wiki_page)
   end
 
@@ -15,7 +15,7 @@ class WikiPagesController < ApplicationController
   end
 
   def index
-    @wiki_pages = WikiPage.search(params[:search]).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
+    @wiki_pages = WikiPage.search(search_params).paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
     respond_with(@wiki_pages) do |format|
       format.html do
         if params[:page].nil? || params[:page].to_i == 1
@@ -50,13 +50,13 @@ class WikiPagesController < ApplicationController
   end
 
   def create
-    @wiki_page = WikiPage.create(params[:wiki_page])
+    @wiki_page = WikiPage.create(wiki_page_params)
     respond_with(@wiki_page)
   end
 
   def update
     @wiki_page = WikiPage.find(params[:id])
-    @wiki_page.update_attributes(params[:wiki_page])
+    @wiki_page.update(wiki_page_params)
     respond_with(@wiki_page)
   end
 
@@ -85,11 +85,19 @@ class WikiPagesController < ApplicationController
     end
   end
 
-private
+  private
+
   def normalize_search_params
     if params[:title]
       params[:search] ||= {}
       params[:search][:title] = params.delete(:title)
     end
   end
+
+  def wiki_page_params
+    permitted_params = %i[title body other_names skip_secondary_validations]
+    permitted_params += %i[is_locked is_deleted] if CurrentUser.is_builder?
+
+    params.require(:wiki_page).permit(permitted_params)
+  end
 end

app/logical/anonymous_user.rb

@@ -230,7 +230,7 @@ class AnonymousUser
   end
 
   def saved_searches
-    []
+    SavedSearch.where(false)
   end
 
   def has_saved_searches?

app/logical/current_user.rb

@@ -14,6 +14,10 @@ class CurrentUser
     end
   end
 
+  def self.as(user, &block)
+    scoped(user, &block)
+  end
+
   def self.as_admin(&block)
     if block_given?
       scoped(User.admins.first, "127.0.0.1", &block)
@@ -83,10 +87,6 @@ class CurrentUser
   end
 
   def self.method_missing(method, *params, &block)
-    if user.respond_to?(method)
+    user.__send__(method, *params, &block)
-      user.__send__(method, *params, &block)
-    else
-      super
-    end
   end
 end

app/logical/forum_updater.rb

@@ -21,10 +21,7 @@ class ForumUpdater
   end
 
   def create_response(body)
-    forum_topic.posts.create({
+    forum_topic.posts.create(body: body, skip_mention_notifications: true)
-      :body => body,
-      :skip_mention_notifications => true
-    }, :without_protection => true)
   end
 
   def update_title(title_tag)
@@ -34,6 +31,6 @@ class ForumUpdater
   end
 
   def update_post(body)
-    forum_post.update({:body => "#{forum_post.body}\n\nEDIT: #{body}", :skip_mention_notifications => true }, :without_protection => true)
+    forum_post.update(body: "#{forum_post.body}\n\nEDIT: #{body}", skip_mention_notifications: true)
   end
 end

app/logical/mentionable.rb

@@ -23,11 +23,11 @@ module Mentionable
 
   def queue_mention_messages
     message_field = self.class.mentionable_option(:message_field)
-    return if !send("#{message_field}_changed?")
+    return if !send(:saved_change_to_attribute?, message_field)
     return if self.skip_mention_notifications
 
     text = send(message_field)
-    text_was = send("#{message_field}_was")
+    text_was = send(:attribute_before_last_save, message_field)
 
     names = DText.parse_mentions(text) - DText.parse_mentions(text_was)
 

app/logical/post_pruner.rb

@@ -36,6 +36,6 @@ protected
   end
 
   def prune_mod_actions!
-    ModAction.destroy_all(["creator_id = ? and description like ?", User.system.id, "deleted post %"])
+    ModAction.where(["creator_id = ? and description like ?", User.system.id, "deleted post %"]).destroy_all
   end
 end

app/logical/post_query_builder.rb

@@ -291,13 +291,13 @@ class PostQueryBuilder
 
     if q[:note_updater_ids]
       q[:note_updater_ids].each do |note_updater_id|
-        relation = relation.where("posts.id IN (?)", NoteVersion.unscoped.where("updater_id = ?", note_updater_id).select("post_id").uniq)
+        relation = relation.where("posts.id IN (?)", NoteVersion.unscoped.where("updater_id = ?", note_updater_id).select("post_id").distinct)
       end
     end
 
     if q[:artcomm_ids]
       q[:artcomm_ids].each do |artcomm_id|
-        relation = relation.where("posts.id IN (?)", ArtistCommentaryVersion.unscoped.where("updater_id = ?", artcomm_id).select("post_id").uniq)
+        relation = relation.where("posts.id IN (?)", ArtistCommentaryVersion.unscoped.where("updater_id = ?", artcomm_id).select("post_id").distinct)
       end
     end
 

app/logical/session_loader.rb

@@ -14,7 +14,9 @@ class SessionLoader
     CurrentUser.user = AnonymousUser.new
     CurrentUser.ip_addr = request.remote_ip
 
-    if session[:user_id]
+    if Rails.env.test? && Thread.current[:test_user_id]
+      load_for_test(Thread.current[:test_user_id])
+    elsif session[:user_id]
       load_session_user
     elsif cookie_password_hash_valid?
       load_cookie_user
@@ -31,6 +33,11 @@ class SessionLoader
   end
 
 private
+
+  def load_for_test(user_id)
+    CurrentUser.user = User.find(user_id)
+    CurrentUser.ip_addr = "127.0.0.1"
+  end
   
   def set_statement_timeout
     timeout = CurrentUser.user.statement_timeout

app/logical/sources/strategies/twitter.rb

@@ -69,7 +69,7 @@ module Sources::Strategies
     # https://twitter.com/motty08111213/status/943446161586733056
     def self.status_id_from_url(url)
       if url =~ %r{\Ahttps?://(?:mobile\.)?twitter\.com/(?:i/web|\w+)/status/(\d+)}i
-        $1.to_i
+        $1
       else
         nil
       end

app/logical/tag_alias_request.rb

@@ -75,7 +75,7 @@ class TagAliasRequest
   end
 
   def skip_secondary_validations=(v)
-    if v == "1" or v == true
+    if v == "1" or v == true or v =~ /t/
       @skip_secondary_validations = true
     else
       @skip_secondary_validations = false

app/logical/tag_implication_request.rb

@@ -75,7 +75,7 @@ class TagImplicationRequest
   end
 
   def skip_secondary_validations=(v)
-    if v == "1" or v == true
+    if v == "1" or v == true or v =~ /t/
       @skip_secondary_validations = true
     else
       @skip_secondary_validations = false

app/logical/twitter_service.rb

@@ -3,7 +3,7 @@ class TwitterService
     raise "Twitter API keys not set" if Danbooru.config.twitter_api_key.nil?
 
     @client ||= begin
-      rest_client = Twitter::REST::Client.new do |config|
+      rest_client = ::Twitter::REST::Client.new do |config|
         config.consumer_key = Danbooru.config.twitter_api_key
         config.consumer_secret = Danbooru.config.twitter_api_secret
         if bearer_token = Cache.get("twitter-api-token")

app/models/amazon_backup.rb

@@ -4,8 +4,6 @@ require 'base64'
 require 'digest/md5'
 
 class AmazonBackup < ApplicationRecord
-  attr_accessible :last_id
-  
   def self.last_id
     first.last_id
   end

app/models/api_key.rb

@@ -2,7 +2,6 @@ class ApiKey < ApplicationRecord
   belongs_to :user
   validates_uniqueness_of :user_id
   validates_uniqueness_of :key
-  attr_accessible :user_id, :key
 
   def self.generate!(user)
     create(:user_id => user.id, :key => SecureRandom.urlsafe_base64(32))

app/models/application_record.rb

@@ -141,6 +141,41 @@ class ApplicationRecord < ActiveRecord::Base
     end
   end
 
+  concerning :UserMethods do
+    class_methods do
+      def belongs_to_creator(options = {})
+        class_eval do
+          belongs_to :creator, options.merge(class_name: "User")
+          before_validation(on: :create) do |rec| 
+            if rec.creator_id.nil?
+              rec.creator_id = CurrentUser.id
+              rec.creator_ip_addr = CurrentUser.ip_addr if rec.respond_to?(:creator_ip_addr=)
+              rec.ip_addr = CurrentUser.ip_addr if rec.respond_to?(:ip_addr=)
+            end
+          end
+
+          define_method :creator_name do
+            User.id_to_name(creator_id)
+          end
+        end
+      end
+
+      def belongs_to_updater(options = {})
+        class_eval do
+          belongs_to :updater, options.merge(class_name: "User")
+          before_validation do |rec|
+            rec.updater_id = CurrentUser.id
+            rec.updater_ip_addr = CurrentUser.ip_addr if rec.respond_to?(:updater_ip_addr=)
+          end
+
+          define_method :updater_name do
+            User.id_to_name(updater_id)
+          end
+        end
+      end
+    end
+  end
+
   def warnings
     @warnings ||= ActiveModel::Errors.new(self)
   end

app/models/artist.rb

@@ -2,25 +2,25 @@ class Artist < ApplicationRecord
   extend Memoist
   class RevertError < Exception ; end
 
-  before_create :initialize_creator
+  attribute :url_string, :string, default: ""
   before_validation :normalize_name
   after_save :create_version
   after_save :categorize_tag
   after_save :update_wiki
+  after_save :save_urls
   validates_uniqueness_of :name
+  validates_associated :urls
   validates :name, tag_name: true
   validate :validate_wiki, :on => :create
   after_validation :merge_validation_errors
-  belongs_to :creator, :class_name => "User"
+  belongs_to_creator
   has_many :members, :class_name => "Artist", :foreign_key => "group_name", :primary_key => "name"
   has_many :urls, :dependent => :destroy, :class_name => "ArtistUrl"
   has_many :versions, lambda {order("artist_versions.id ASC")}, :class_name => "ArtistVersion"
   has_one :wiki_page, :foreign_key => "title", :primary_key => "name"
   has_one :tag_alias, :foreign_key => "antecedent_name", :primary_key => "name"
   has_one :tag, :foreign_key => "name", :primary_key => "name"
-  attr_accessible :body, :notes, :name, :url_string, :other_names, :other_names_comma, :group_name, :notes, :as => [:member, :gold, :builder, :platinum, :moderator, :default, :admin]
+  attribute :notes, :string
-  attr_accessible :is_active, :as => [:builder, :moderator, :default, :admin]
-  attr_accessible :is_banned, :as => :admin
 
   scope :active, lambda { where(is_active: true) }
   scope :deleted, lambda { where(is_active: false) }
@@ -178,22 +178,12 @@ class Artist < ApplicationRecord
       urls.map(&:url)
     end
 
-    def url_string=(string)
+    def save_urls
-      @url_string_was = url_string
+      self.urls = url_string.scan(/[^[:space:]]+/).uniq.map do |url|
-
+        self.urls.find_or_create_by(url: url)
-      self.urls = string.scan(/[^[:space:]]+/).uniq.map do |url|
-        self.urls.find_or_initialize_by(url: url)
       end
     end
 
-    def url_string
-      url_array.join("\n")
-    end
-
-    def url_string_changed?
-      @url_string_was != url_string
-    end
-
     def map_domain(x)
       case x
       when "pximg.net"
@@ -258,7 +248,7 @@ class Artist < ApplicationRecord
 
   module VersionMethods
     def create_version(force=false)
-      if name_changed? || url_string_changed? || is_active_changed? || is_banned_changed? || other_names_changed? || group_name_changed? || notes_changed? || force
+      if saved_change_to_name? || saved_change_to_url_string? || saved_change_to_is_active? || saved_change_to_is_banned? || saved_change_to_other_names? || saved_change_to_group_name? || saved_change_to_notes? || force
         if merge_version?
           merge_version
         else
@@ -271,7 +261,7 @@ class Artist < ApplicationRecord
       ArtistVersion.create(
         :artist_id => id,
         :name => name,
-        :updater_id => CurrentUser.user.id,
+        :updater_id => CurrentUser.id,
         :updater_ip_addr => CurrentUser.ip_addr,
         :url_string => url_string,
         :is_active => is_active,
@@ -369,9 +359,9 @@ class Artist < ApplicationRecord
     end
 
     def update_wiki
-      if persisted? && name_changed? && name_was.present? && WikiPage.titled(name_was).exists?
+      if persisted? && saved_change_to_name? && attribute_before_last_save("name").present? && WikiPage.titled(attribute_before_last_save("name")).exists?
         # we're renaming the artist, so rename the corresponding wiki page
-        old_page = WikiPage.titled(name_was).first
+        old_page = WikiPage.titled(name_before_last_save).first
 
         if wiki_page.present?
           # a wiki page with the new name already exists, so update the content
@@ -383,7 +373,7 @@ class Artist < ApplicationRecord
       elsif wiki_page.nil?
         # if there are any notes, we need to create a new wiki page
         if @notes.present?
-          create_wiki_page(body: @notes, title: name)
+          wp = create_wiki_page(body: @notes, title: name)
         end
       elsif (!@notes.nil? && (wiki_page.body != @notes)) || wiki_page.title != name
         # if anything changed, we need to update the wiki page
@@ -415,7 +405,7 @@ class Artist < ApplicationRecord
     end
 
     def categorize_tag
-      if new_record? || name_changed?
+      if new_record? || saved_change_to_name?
         Tag.find_or_create_by_name("artist:#{name}")
       end
     end
@@ -666,10 +656,6 @@ class Artist < ApplicationRecord
     end
   end
 
-  def initialize_creator
-    self.creator_id = CurrentUser.user.id
-  end
-
   def deletable_by?(user)
     user.is_builder?
   end

app/models/artist_commentary.rb

@@ -3,10 +3,9 @@ class ArtistCommentary < ApplicationRecord
 
   attr_accessor :remove_commentary_tag, :remove_commentary_request_tag, :remove_commentary_check_tag
   attr_accessor :add_commentary_tag, :add_commentary_request_tag, :add_commentary_check_tag
-  attr_accessible :post_id, :original_description, :original_title, :translated_description, :translated_title, :remove_commentary_tag, :remove_commentary_request_tag, :add_commentary_tag, :add_commentary_request_tag, :add_commentary_check_tag, :remove_commentary_check_tag
   before_validation :trim_whitespace
   validates_uniqueness_of :post_id
-  belongs_to :post
+  belongs_to :post, required: true
   has_many :versions, lambda {order("artist_commentary_versions.id ASC")}, :class_name => "ArtistCommentaryVersion", :dependent => :destroy, :foreign_key => :post_id, :primary_key => :post_id
   has_one :previous_version, lambda {order(id: :desc)}, :class_name => "ArtistCommentaryVersion", :foreign_key => :post_id, :primary_key => :post_id
   after_save :create_version
@@ -109,12 +108,12 @@ class ArtistCommentary < ApplicationRecord
       post.add_tag("check_commentary")
     end
 
-    post.save if post.tag_string_changed?
+    post.save if post.saved_change_to_tag_string?
   end
 
   module VersionMethods
     def create_version
-      return unless changed?
+      return unless saved_changes?
 
       if merge_version?
         merge_version

app/models/artist_commentary_version.rb

@@ -1,9 +1,7 @@
 class ArtistCommentaryVersion < ApplicationRecord
-  before_validation :initialize_updater
   belongs_to :post
-  belongs_to :updater, :class_name => "User"
+  belongs_to_updater
   scope :for_user, lambda {|user_id| where("updater_id = ?", user_id)}
-  attr_accessible :post_id, :original_title, :original_description, :translated_title, :translated_description
 
   def self.search(params)
     q = super
@@ -18,13 +16,4 @@ class ArtistCommentaryVersion < ApplicationRecord
 
     q.apply_default_order(params)
   end
-
-  def initialize_updater
-    self.updater_id = CurrentUser.id
-    self.updater_ip_addr = CurrentUser.ip_addr
-  end
-
-  def updater_name
-    User.id_to_name(updater_id)
-  end
 end

app/models/artist_url.rb

@@ -4,7 +4,6 @@ class ArtistUrl < ApplicationRecord
   validates_presence_of :url
   validate :validate_url_format
   belongs_to :artist, :touch => true
-  attr_accessible :url, :artist_id, :normalized_url
 
   def self.normalize(url)
     if url.nil?
@@ -93,8 +92,8 @@ class ArtistUrl < ApplicationRecord
 
   def validate_url_format
     uri = Addressable::URI.parse(url)
-    errors[:base] << "'#{url}' must begin with http:// or https://" if !uri.scheme.in?(%w[http https])
+    errors[:url] << "must begin with http:// or https://" if !uri.scheme.in?(%w[http https])
   rescue Addressable::URI::InvalidURIError => error
-    errors[:base] << "'#{url}' is malformed: #{error}"
+    errors[:url] << "is malformed: #{error}"
   end
 end

app/models/artist_version.rb

@@ -1,7 +1,6 @@
 class ArtistVersion < ApplicationRecord
-  belongs_to :updater, :class_name => "User"
+  belongs_to_updater
   belongs_to :artist
-  attr_accessible :artist_id, :name, :is_active, :other_names, :group_name, :url_string, :is_banned, :updater_id, :updater_ip_addr
   delegate :visible?, :to => :artist
 
   module SearchMethods
@@ -106,8 +105,4 @@ class ArtistVersion < ApplicationRecord
   def previous
     ArtistVersion.where("artist_id = ? and created_at < ?", artist_id, created_at).order("created_at desc").first
   end
-
-  def updater_name
-    User.id_to_name(updater_id)
-  end
 end

app/models/ban.rb

@@ -5,7 +5,6 @@ class Ban < ApplicationRecord
   after_destroy :update_user_on_destroy
   belongs_to :user
   belongs_to :banner, :class_name => "User"
-  attr_accessible :reason, :duration, :user_id, :user_name
   validate :user_is_inferior
   validates_presence_of :user_id, :reason, :duration
   before_validation :initialize_banner_id, :on => :create

app/models/bulk_update_request.rb

@@ -2,9 +2,9 @@ class BulkUpdateRequest < ApplicationRecord
   attr_accessor :reason, :skip_secondary_validations
 
   belongs_to :user
-  belongs_to :forum_topic
+  belongs_to :forum_topic, optional: true
-  belongs_to :forum_post
+  belongs_to :forum_post, optional: true
-  belongs_to :approver, :class_name => "User"
+  belongs_to :approver, optional: true, class_name: "User"
 
   validates_presence_of :user
   validates_presence_of :script
@@ -112,10 +112,12 @@ class BulkUpdateRequest < ApplicationRecord
     def create_forum_topic
       if forum_topic_id
         forum_post = forum_topic.posts.create(body: reason_with_link)
-        update_attributes(:forum_post_id => forum_post.id)
+        update(forum_post_id: forum_post.id)
       else
-        forum_topic = ForumTopic.create(:title => title, :category_id => 1, :original_post_attributes => {:body => reason_with_link})
+        forum_topic = ForumTopic.create(title: title, category_id: 1, original_post_attributes: {body: reason_with_link})
-        update_attributes(:forum_topic_id => forum_topic.id, :forum_post_id => forum_topic.posts.first.id)
+        puts forum_topic.errors.full_messages
+        puts forum_topic.original_post.errors.full_messages
+        update(forum_topic_id: forum_topic.id, forum_post_id: forum_topic.posts.first.id)
       end
     end
 
@@ -136,13 +138,13 @@ class BulkUpdateRequest < ApplicationRecord
       AliasAndImplicationImporter.tokenize(script)
       return true
     rescue StandardError => e
-      errors.add(:base, e.message)
+      errors[:base] << e.message
       return false
     end
 
     def forum_topic_id_not_invalid
       if forum_topic_id && !forum_topic
-        errors.add(:base, "Forum topic ID is invalid")
+        errors[:base] << "Forum topic ID is invalid"
       end
     end
 
@@ -150,7 +152,7 @@ class BulkUpdateRequest < ApplicationRecord
       begin
         AliasAndImplicationImporter.new(script, forum_topic_id, "1", skip_secondary_validations).validate!
       rescue RuntimeError => e
-        self.errors[:base] = e.message
+        self.errors[:base] << e.message
         return false
       end
 

app/models/comment.rb

@@ -5,21 +5,17 @@ class Comment < ApplicationRecord
   validate :validate_creator_is_not_limited, :on => :create
   validates_format_of :body, :with => /\S/, :message => 'has no content'
   belongs_to :post
-  belongs_to :creator, :class_name => "User"
+  belongs_to_creator
-  belongs_to :updater, :class_name => "User"
+  belongs_to_updater
   has_many :votes, :class_name => "CommentVote", :dependent => :destroy
-  before_validation :initialize_creator, :on => :create
-  before_validation :initialize_updater
   after_create :update_last_commented_at_on_create
-  after_update(:if => lambda {|rec| (!rec.is_deleted? || !rec.is_deleted_changed?) && CurrentUser.id != rec.creator_id}) do |rec|
+  after_update(:if => lambda {|rec| (!rec.is_deleted? || !rec.saved_change_to_is_deleted?) && CurrentUser.id != rec.creator_id}) do |rec|
     ModAction.log("comment ##{rec.id} updated by #{CurrentUser.name}",:comment_update)
   end
-  after_save :update_last_commented_at_on_destroy, :if => lambda {|rec| rec.is_deleted? && rec.is_deleted_changed?}
+  after_save :update_last_commented_at_on_destroy, :if => lambda {|rec| rec.is_deleted? && rec.saved_change_to_is_deleted?}
-  after_save(:if => lambda {|rec| rec.is_deleted? && rec.is_deleted_changed? && CurrentUser.id != rec.creator_id}) do |rec|
+  after_save(:if => lambda {|rec| rec.is_deleted? && rec.saved_change_to_is_deleted? && CurrentUser.id != rec.creator_id}) do |rec|
     ModAction.log("comment ##{rec.id} deleted by #{CurrentUser.name}",:comment_delete)
   end
-  attr_accessible :body, :post_id, :do_not_bump_post, :is_deleted, :as => [:member, :gold, :platinum, :builder, :moderator, :admin]
-  attr_accessible :is_sticky, :as => [:moderator, :admin]
   mentionable(
     :message_field => :body, 
     :title => lambda {|user_name| "#{creator_name} mentioned you in a comment on post ##{post_id}"},
@@ -172,24 +168,6 @@ class Comment < ApplicationRecord
   extend SearchMethods
   include VoteMethods
 
-  def initialize_creator
-    self.creator_id ||= CurrentUser.user.id
-    self.ip_addr ||= CurrentUser.ip_addr
-  end
-
-  def initialize_updater
-    self.updater_id = CurrentUser.user.id
-    self.updater_ip_addr = CurrentUser.ip_addr
-  end
-
-  def creator_name
-    User.id_to_name(creator_id)
-  end
-
-  def updater_name
-    User.id_to_name(updater_id)
-  end
-
   def validate_post_exists
     errors.add(:post, "must exist") unless Post.exists?(post_id)
   end
@@ -245,11 +223,11 @@ class Comment < ApplicationRecord
   end
 
   def delete!
-    update({ :is_deleted => true }, :as => CurrentUser.role)
+    update(is_deleted: true)
   end
 
   def undelete!
-    update({ :is_deleted => false }, :as => CurrentUser.role)
+    update(is_deleted: false)
   end
 
   def quoted_response

app/models/comment_vote.rb

@@ -9,7 +9,6 @@ class CommentVote < ApplicationRecord
   validate :validate_user_can_vote
   validate :validate_comment_can_be_down_voted
   validates_inclusion_of :score, :in => [-1, 1], :message => "must be 1 or -1"
-  attr_accessible :comment_id, :user_id, :score
 
   def self.prune!
     where("created_at < ?", 14.days.ago).delete_all

app/models/dmail.rb

@@ -235,7 +235,7 @@ class Dmail < ApplicationRecord
 
   def validate_sender_is_not_banned
     if from.is_banned?
-      errors[:base] = "Sender is banned and cannot send messages"
+      errors[:base] << "Sender is banned and cannot send messages"
       return false
     else
       return true

app/models/dmail_filter.rb

@@ -1,6 +1,5 @@
 class DmailFilter < ApplicationRecord
   belongs_to :user
-  attr_accessible :words, :as => [:moderator, :gold, :platinum, :member, :anonymous, :default, :builder, :admin]
   validates_presence_of :user
   before_validation :initialize_user
 

app/models/favorite.rb

@@ -2,7 +2,6 @@ class Favorite < ApplicationRecord
   belongs_to :post
   belongs_to :user
   scope :for_user, lambda {|user_id| where("user_id % 100 = #{user_id.to_i % 100} and user_id = #{user_id.to_i}")}
-  attr_accessible :user_id, :post_id
 
   def self.add(post:, user:)
     Favorite.transaction do
@@ -26,7 +25,7 @@ class Favorite < ApplicationRecord
       User.where(:id => user.id).select("id").lock("FOR UPDATE NOWAIT").first
 
       return unless Favorite.for_user(user.id).where(:user_id => user.id, :post_id => post_id).exists?
-      Favorite.for_user(user.id).delete_all(post_id: post_id)
+      Favorite.for_user(user.id).where(post_id: post_id).delete_all
       Post.where(:id => post_id).update_all("fav_count = fav_count - 1")
       post.delete_user_from_fav_string(user.id) if post
       User.where(:id => user.id).update_all("favorite_count = favorite_count - 1")

app/models/favorite_group.rb

@@ -3,15 +3,13 @@ require 'ostruct'
 class FavoriteGroup < ApplicationRecord
   validates_uniqueness_of :name, :case_sensitive => false, :scope => :creator_id
   validates_format_of :name, :with => /\A[^,]+\Z/, :message => "cannot have commas"
-  belongs_to :creator, :class_name => "User"
+  belongs_to_creator
   before_validation :normalize_post_ids
   before_validation :normalize_name
-  before_validation :initialize_creator, :on => :create
   before_validation :strip_name
   validate :creator_can_create_favorite_groups, :on => :create
   validate :validate_number_of_posts
   before_save :update_post_count
-  attr_accessible :name, :post_ids, :post_id_array, :is_public, :as => [:member, :gold, :platinum, :builder, :moderator, :admin, :default]
 
   module SearchMethods
     def for_creator(user_id)
@@ -125,10 +123,6 @@ class FavoriteGroup < ApplicationRecord
     end
   end
 
-  def initialize_creator
-    self.creator_id ||= CurrentUser.id
-  end
-
   def strip_name
     self.name = name.to_s.strip
   end

app/models/forum_post.rb

@@ -1,14 +1,10 @@
 class ForumPost < ApplicationRecord
   include Mentionable
 
-  attr_accessible :body, :topic_id, :as => [:member, :builder, :gold, :platinum, :admin, :moderator, :default]
-  attr_accessible :is_locked, :is_sticky, :is_deleted, :as => [:admin, :moderator]
   attr_readonly :topic_id
-  belongs_to :creator, :class_name => "User"
+  belongs_to_creator
-  belongs_to :updater, :class_name => "User"
+  belongs_to_updater
   belongs_to :topic, :class_name => "ForumTopic"
-  before_validation :initialize_creator, :on => :create
-  before_validation :initialize_updater
   before_validation :initialize_is_deleted, :on => :create
   after_create :update_topic_updated_at_on_create
   after_update :update_topic_updated_at_on_update_for_original_posts
@@ -137,22 +133,22 @@ class ForumPost < ApplicationRecord
     return if topic.nil?
 
     if topic.is_locked?
-      errors.add(:topic, "is locked")
+      errors[:topic] << "is locked"
-      return false
+      throw :abort
-    else
-      return true
     end
   end
 
   def topic_id_not_invalid
     if topic_id && !topic
-      errors.add(:base, "Topic ID is invalid")
+      errors[:base] << "Topic ID is invalid"
+      return false
     end
   end
 
   def topic_is_not_restricted
     if topic && !topic.visible?(creator)
-      errors.add(:topic, "restricted")
+      errors[:topic] << "is restricted"
+      return false
     end
   end
 
@@ -179,12 +175,12 @@ class ForumPost < ApplicationRecord
   end
 
   def delete!
-    update_attributes({:is_deleted => true}, :as => CurrentUser.role)
+    update(is_deleted: true)
     update_topic_updated_at_on_delete
   end
 
   def undelete!
-    update_attributes({:is_deleted => false}, :as => CurrentUser.role)
+    update(is_deleted: false)
     update_topic_updated_at_on_undelete
   end
 
@@ -212,14 +208,6 @@ class ForumPost < ApplicationRecord
     end
   end
 
-  def initialize_creator
-    self.creator_id = CurrentUser.id
-  end
-
-  def initialize_updater
-    self.updater_id = CurrentUser.id
-  end
-
   def initialize_is_deleted
     self.is_deleted = false if is_deleted.nil?
   end