Limit assigned attributes when creating and updating Notes

Using #permit! is unsafe and not necessary, since we have a fixed set of attributes used in the notes form. Use #permit with a list of attribute names instead.
publify · Oct 13, 2024 · 402f970 · 402f970
1 parent b9c0316
commit 402f970
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/app/controllers/admin/notes_controller.rb b/app/controllers/admin/notes_controller.rb
@@ -23,7 +23,7 @@ def create
     note = new_note
 
     note.state = "published"
-    note.attributes = params[:note].permit!
+    note.assign_attributes(note_params)
     note.text_filter ||= default_text_filter
     note.published_at ||= Time.zone.now
     if note.save
@@ -41,7 +41,7 @@ def create
   end
 
   def update
-    @note.attributes = params[:note].permit!
+    @note.assign_attributes(note_params)
     @note.save
     redirect_to admin_notes_url
   end
@@ -54,6 +54,15 @@ def destroy
 
   private
 
+  def note_params
+    params.require(:note).permit(:text_filter_name,
+                                 :body,
+                                 :push_to_twitter,
+                                 :in_reply_to_status_id,
+                                 :permalink,
+                                 :published_at)
+  end
+
   def load_existing_notes
     @notes = Note.page(params[:page]).per(this_blog.limit_article_display)
   end