Make app works with strong params

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Make app works with strong params
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
8fee5a05 · Dmitriy Zaporozhets · 2acde87e · 8fee5a05 · 8fee5a05 · 8fee5a05
Commit 8fee5a05 authored Jun 26, 2014 by Dmitriy Zaporozhets
17 changed files
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -13,7 +13,7 @@ class Admin::UsersController < Admin::ApplicationController
  end
  def new
-    @user = User.build_user
+    @user = User.new
  end
  def edit
@@ -37,15 +37,12 @@ class Admin::UsersController < Admin::ApplicationController
  end
  def create
-    admin = user_params.delete("admin")
    opts = {
      force_random_password: true,
      password_expires_at: Time.now
    }
-    @user = User.build_user(user_params.merge(opts), as: :admin)
+    @user = User.new(user_params.merge(opts))
-    @user.admin = (admin && admin.to_i > 0)
    @user.created_by_id = current_user.id
    @user.generate_password
    @user.skip_confirmation!
@@ -62,19 +59,15 @@ class Admin::UsersController < Admin::ApplicationController
  end
  def update
-    admin = user_params.delete("admin")
+    if params[:user][:password].present?
+      user_params.merge(
-    if user_params[:password].blank?
+        password: params[:user][:password],
-      user_params.delete(:password)
+        password_confirmation: params[:user][:password_confirmation],
-      user_params.delete(:password_confirmation)
+      )
-    end
-    if admin.present?
-      user.admin = !admin.to_i.zero?
    end
    respond_to do |format|
-      if user.update_attributes(user_params, as: :admin)
+      if user.update_attributes(user_params)
        user.confirm!
        format.html { redirect_to [:admin, user], notice: 'User was successfully updated.' }
        format.json { head :ok }
@@ -118,10 +111,10 @@ class Admin::UsersController < Admin::ApplicationController
  def user_params
    params.require(:user).permit(
-      :email, :password, :password_confirmation, :remember_me, :bio, :name, :username,
+      :email, :remember_me, :bio, :name, :username,
      :skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id, :force_random_password,
      :extern_uid, :provider, :password_expires_at, :avatar, :hide_no_ssh_key,
-      :projects_limit, :can_create_group,
+      :projects_limit, :can_create_group, :admin
    )
  end
 end
--- a/app/controllers/profiles/emails_controller.rb
+++ b/app/controllers/profiles/emails_controller.rb
@@ -7,7 +7,7 @@ class Profiles::EmailsController < ApplicationController
  end
  def create
-    @email = current_user.emails.new(params[:email])
+    @email = current_user.emails.new(email_params)
    flash[:alert] = @email.errors.full_messages.first unless @email.save
@@ -23,4 +23,10 @@ class Profiles::EmailsController < ApplicationController
      format.js { render nothing: true }
    end
  end
+  private
+  def email_params
+    params.require(:email).permit(:email)
+  end
 end
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -14,7 +14,7 @@ class ProfilesController < ApplicationController
  end
  def update
-    user_params.delete(:email) if @user.ldap_user?
+    user_params.except!(:email) if @user.ldap_user?
    if @user.update_attributes(user_params)
      flash[:notice] = "Profile was successfully updated"

--- a/app/controllers/projects/deploy_keys_controller.rb
+++ b/app/controllers/projects/deploy_keys_controller.rb
@@ -22,7 +22,7 @@ class Projects::DeployKeysController < Projects::ApplicationController
  end
  def create
-    @key = DeployKey.new(params[:deploy_key])
+    @key = DeployKey.new(deploy_key_params)
    if @key.valid? && @project.deploy_keys << @key
      redirect_to project_deploy_keys_path(@project)
@@ -58,4 +58,8 @@ class Projects::DeployKeysController < Projects::ApplicationController
  def available_keys
    @available_keys ||= current_user.accessible_deploy_keys
  end
+  def deploy_key_params
+    params.require(:deploy_key).permit(:key, :title)
+  end
 end
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -61,13 +61,13 @@ class Note < ActiveRecord::Base
    def create_status_change_note(noteable, project, author, status, source)
      body = "_Status changed to #{status}#{' by ' + source.gfm_reference if source}_"
-      create({
+      create(
        noteable: noteable,
        project: project,
        author: author,
        note: body,
        system: true
-      }, without_protection: true)
+      )
    end
    # +noteable+ was referenced from +mentioner+, by including GFM in either +mentioner+'s description or an associated Note.
@@ -86,7 +86,7 @@ class Note < ActiveRecord::Base
        note_options.merge!(noteable: noteable)
      end
-      create(note_options, without_protection: true)
+      create(note_options)
    end
    def create_milestone_change_note(noteable, project, author, milestone)
@@ -96,13 +96,13 @@ class Note < ActiveRecord::Base
               "_Milestone changed to #{milestone.title}_"
             end
-      create({
+      create(
        noteable: noteable,
        project: project,
        author: author,
        note: body,
        system: true
-      }, without_protection: true)
+      )
    end
    def create_assignee_change_note(noteable, project, author, assignee)
@@ -114,7 +114,7 @@ class Note < ActiveRecord::Base
        author: author,
        note: body,
        system: true
-      }, without_protection: true)
+      })
    end
    def discussions_from_notes(notes)

--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -27,14 +27,17 @@
 class Project < ActiveRecord::Base
  include Gitlab::ShellAdapter
  include Gitlab::VisibilityLevel
+  include Gitlab::ConfigHelper
+  extend Gitlab::ConfigHelper
  extend Enumerize
  default_value_for :archived, false
-  default_value_for :issues_enabled, true
+  default_value_for :visibility_level, gitlab_config_features.visibility_level
-  default_value_for :merge_requests_enabled, true
+  default_value_for :issues_enabled, gitlab_config_features.issues
-  default_value_for :wiki_enabled, true
+  default_value_for :merge_requests_enabled, gitlab_config_features.merge_requests
+  default_value_for :wiki_enabled, gitlab_config_features.wiki
  default_value_for :wall_enabled, false
-  default_value_for :snippets_enabled, true
+  default_value_for :snippets_enabled, gitlab_config_features.snippets
  ActsAsTaggableOn.strict_case_match = true
@@ -249,7 +252,7 @@ class Project < ActiveRecord::Base
  end
  def web_url
-    [Gitlab.config.gitlab.url, path_with_namespace].join("/")
+    [gitlab_config.url, path_with_namespace].join("/")
  end
  def web_url_without_protocol
@@ -470,7 +473,7 @@ class Project < ActiveRecord::Base
  end
  def http_url_to_repo
-    [Gitlab.config.gitlab.url, "/", path_with_namespace, ".git"].join('')
+    [gitlab_config.url, "/", path_with_namespace, ".git"].join('')
  end
  # Check if current branch name is marked as protected in the system

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -50,10 +50,15 @@ require 'carrierwave/orm/activerecord'
 require 'file_size_validator'
 class User < ActiveRecord::Base
+  include Gitlab::ConfigHelper
+  extend Gitlab::ConfigHelper
  default_value_for :admin, false
-  default_value_for :can_create_group, true
+  default_value_for :can_create_group, gitlab_config.default_can_create_group
  default_value_for :can_create_team, false
  default_value_for :hide_no_ssh_key, false
+  default_value_for :projects_limit, gitlab_config.default_projects_limit
+  default_value_for :theme_id, gitlab_config.default_theme
  devise :database_authenticatable, :token_authenticatable, :lockable, :async,
         :recoverable, :rememberable, :trackable, :validatable, :omniauthable, :confirmable, :registerable
@@ -211,20 +216,8 @@ class User < ActiveRecord::Base
      where('users.username = ? OR users.id = ?', name_or_id.to_s, name_or_id.to_i).first
    end
-    def build_user(attrs = {}, options= {})
+    def build_user(attrs = {})
-      if options[:as] == :admin
+      User.new(attrs)
-        User.new(defaults.merge(attrs.symbolize_keys), options)
-      else
-        User.new(attrs, options).with_defaults
-      end
-    end
-    def defaults
-      {
-        projects_limit: Gitlab.config.gitlab.default_projects_limit,
-        can_create_group: Gitlab.config.gitlab.default_can_create_group,
-        theme_id: Gitlab.config.gitlab.default_theme
-      }
    end
  end
@@ -302,7 +295,7 @@ class User < ActiveRecord::Base
  end
  def can_change_username?
-    Gitlab.config.gitlab.username_changing_enabled
+    gitlab_config.username_changing_enabled
  end
  def can_create_project?
@@ -477,7 +470,7 @@ class User < ActiveRecord::Base
  def avatar_url(size = nil)
    if avatar.present?
-      URI::join(Gitlab.config.gitlab.url, avatar.url).to_s
+      URI::join(gitlab_config.url, avatar.url).to_s
    else
      GravatarService.new.execute(email, size)
    end

--- a/app/services/issues/update_service.rb
+++ b/app/services/issues/update_service.rb
 module Issues
  class UpdateService < Issues::BaseService
    def execute(issue)
-      state = params.delete('state_event') || params.delete(:state_event)
+      state = params[:state_event]
      case state
      when 'reopen'
@@ -10,7 +10,7 @@ module Issues
        Issues::CloseService.new(project, current_user, {}).execute(issue)
      end
-      if params.present? && issue.update_attributes(params)
+      if params.present? && issue.update_attributes(params.except(:state_event))
        issue.reset_events_cache
        if issue.previous_changes.include?('milestone_id')

--- a/app/services/merge_requests/update_service.rb
+++ b/app/services/merge_requests/update_service.rb
@@ -7,10 +7,10 @@ module MergeRequests
    def execute(merge_request)
      # We dont allow change of source/target projects
      # after merge request was created
-      params.delete(:source_project_id)
+      params.except!(:source_project_id)
-      params.delete(:target_project_id)
+      params.except!(:target_project_id)
-      state = params.delete('state_event') || params.delete(:state_event)
+      state = params[:state_event]
      case state
      when 'reopen'
@@ -19,7 +19,7 @@ module MergeRequests
        MergeRequests::CloseService.new(project, current_user, {}).execute(merge_request)
      end
-      if params.present? && merge_request.update_attributes(params)
+      if params.present? && merge_request.update_attributes(params.except(:state_event))
        merge_request.reset_events_cache
        if merge_request.previous_changes.include?('milestone_id')

--- a/app/services/milestones/update_service.rb
+++ b/app/services/milestones/update_service.rb
 module Milestones
  class UpdateService < Milestones::BaseService
    def execute(milestone)
-      state = params.delete('state_event') || params.delete(:state_event)
+      state = params[:state_event]
      case state
      when 'activate'
@@ -11,7 +11,7 @@ module Milestones
      end
      if params.present?
-        milestone.update_attributes(params)
+        milestone.update_attributes(params.except(:state_event))
      end
      milestone

--- a/app/services/projects/create_service.rb
+++ b/app/services/projects/create_service.rb
@@ -5,27 +5,13 @@ module Projects
    end
    def execute
-      # get namespace id
+      @project = Project.new(params)
-      namespace_id = params.delete(:namespace_id)
-      # check that user is allowed to set specified visibility_level
+      # Reset visibility levet if is not allowed to set it
      unless Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level])
-        params.delete(:visibility_level)
+        @project.visibility_level = default_features.visibility_level
      end
-      # Load default feature settings
-      default_features = Gitlab.config.gitlab.default_projects_features
-      default_opts = {
-        issues_enabled: default_features.issues,
-        wiki_enabled: default_features.wiki,
-        snippets_enabled: default_features.snippets,
-        merge_requests_enabled: default_features.merge_requests,
-        visibility_level: default_features.visibility_level
-      }.stringify_keys
-      @project = Project.new(default_opts.merge(params))
      # Parametrize path for project
      #
      # Ex.
@@ -33,13 +19,14 @@ module Projects
      #
      @project.path = @project.name.dup.parameterize unless @project.path.present?
+      # get namespace id
+      namespace_id = params[:namespace_id]
      if namespace_id
        # Find matching namespace and check if it allowed
        # for current user if namespace_id passed.
-        if allowed_namespace?(current_user, namespace_id)
+        unless allowed_namespace?(current_user, namespace_id)
-          @project.namespace_id = namespace_id
+          @project.namespace_id = nil
-        else
          deny_namespace
          return @project
        end

--- a/app/services/projects/transfer_service.rb
+++ b/app/services/projects/transfer_service.rb
@@ -12,7 +12,7 @@ module Projects
    class TransferError < StandardError; end
    def execute
-      namespace_id = params.delete(:namespace_id)
+      namespace_id = params[:namespace_id]
      namespace = Namespace.find_by(id: namespace_id)
      if allowed_transfer?(current_user, project, namespace)

--- a/app/services/projects/update_service.rb
+++ b/app/services/projects/update_service.rb
 module Projects
  class UpdateService < BaseService
    def execute
-      params.delete(:namespace_id)
      # check that user is allowed to set specified visibility_level
      unless can?(current_user, :change_visibility_level, project) && Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level])
-        params.delete(:visibility_level)
+        params[:visibility_level] = project.visibility_level
      end
-      new_branch = params.delete(:default_branch)
+      new_branch = params[:default_branch]
      if project.repository.exists? && new_branch && new_branch != project.default_branch
        project.change_head(new_branch)
      end
-      if project.update_attributes(params)
+      if project.update_attributes(params.except(:default_branch))
-        if project.previous_changes.include?('namespace_id')
-          project.send_move_instructions
-        end
        if project.previous_changes.include?('path')
          project.rename_repo
        end

--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -98,10 +98,14 @@ module API
    def attributes_for_keys(keys)
      attrs = {}
      keys.each do |key|
-        attrs[key] = params[key] if params[key].present? or (params.has_key?(key) and params[key] == false)
+        if params[key].present? or (params.has_key?(key) and params[key] == false)
+          attrs[key] = params[key]
+        end
      end
-      attrs
+      ActionController::Parameters.new(attrs).permit!
    end
    # error helpers

--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -59,7 +59,7 @@ module API
        authenticated_as_admin!
        required_attributes! [:email, :password, :name, :username]
        attrs = attributes_for_keys [:email, :name, :password, :skype, :linkedin, :twitter, :projects_limit, :username, :extern_uid, :provider, :bio, :can_create_group, :admin]
-        user = User.build_user(attrs, as: :admin)
+        user = User.build_user(attrs)
        admin = attrs.delete(:admin)
        user.admin = admin unless admin.nil?
        if user.save

--- a/lib/gitlab/config_helper.rb
+++ b/lib/gitlab/config_helper.rb
+module Gitlab::ConfigHelper
+  def gitlab_config_features
+    Gitlab.config.gitlab.default_projects_features
+  end
+  def gitlab_config
+    Gitlab.config.gitlab
+  end
+end
--- a/lib/gitlab/oauth/user.rb
+++ b/lib/gitlab/oauth/user.rb
@@ -27,7 +27,7 @@ module Gitlab
            password_confirmation: password,
          }
-          user = model.build_user(opts, as: :admin)
+          user = model.build_user(opts)
          user.skip_confirmation!
          # Services like twitter and github does not return email via oauth