move to strong_parameters of rails4.

app/controllers/application_controller.rb

@@ -6,8 +6,9 @@ require_dependency "login_system"
 require_dependency "tracks/source_view"
 
 class ApplicationController < ActionController::Base
-
-  protect_from_forgery
+  # Prevent CSRF attacks by raising an exception.
+  # For APIs, you may want to use :null_session instead.
+  protect_from_forgery with: :exception
 
   include LoginSystem
   helper_method :current_user, :prefs, :format_date

app/controllers/contexts_controller.rb

@@ -8,7 +8,7 @@ class ContextsController < ApplicationController
   prepend_before_filter :login_or_feed_token_required, :only => [:index]
 
   def index
-    @all_contexts = current_user.contexts
+    @all_contexts    = current_user.contexts
     @active_contexts = current_user.contexts.active
     @hidden_contexts = current_user.contexts.hidden
     @closed_contexts = current_user.contexts.closed
@@ -69,7 +69,7 @@ class ContextsController < ApplicationController
       render_failure "Expected post format is valid xml like so: <context><name>context name</name></context>.", 400
       return
     end
-    @context = current_user.contexts.build(params['context'])
+    @context = current_user.contexts.build(context_params)
     @context.hide! if params['context_state'] && params['context_state']['hide'] == '1'
     @saved = @context.save
     @context_not_done_counts = { @context.id => 0 }
@@ -93,7 +93,7 @@ class ContextsController < ApplicationController
   def update
     process_params_for_update
 
-    @context.attributes = params["context"]
+    @context.attributes = context_params
     @saved = @context.save
     @state_saved = set_state_for_update(@new_state) 
     @saved = @saved && @state_saved
@@ -161,6 +161,12 @@ class ContextsController < ApplicationController
     all_done_todos_for current_user.contexts.find(params[:id])
   end
 
+  private
+
+  def context_params
+    params.require(:context).permit(:name, :position, :state)
+  end
+
   protected
 
   def update_state_counts

app/controllers/notes_controller.rb

@@ -24,7 +24,7 @@ class NotesController < ApplicationController
 
   def create
     @note = current_user.notes.build
-    @note.attributes = params["note"]
+    @note.attributes = note_params
 
     @saved = @note.save
 
@@ -45,7 +45,7 @@ class NotesController < ApplicationController
 
   def update
     @note = current_user.notes.find(params['id'])
-    @note.attributes = params["note"]
+    @note.attributes = note_params
     @saved = @note.save
     respond_to do |format|
       format.html
@@ -69,4 +69,10 @@ class NotesController < ApplicationController
     @source_view = params['_source_view'] || 'note'
   end
 
+  private
+
+  def note_params
+    params.require(:note).permit(:project_id, :body)
+  end
+
 end

app/controllers/preferences_controller.rb

@@ -9,8 +9,8 @@ class PreferencesController < ApplicationController
   def update
     @prefs = current_user.prefs
     @user = current_user
-    user_updated = current_user.update_attributes(params['user'])
-    prefs_updated = current_user.preference.update_attributes(params['prefs'])
+    user_updated = current_user.update_attributes(user_params)
+    prefs_updated = current_user.preference.update_attributes(prefs_params)
     if (user_updated && prefs_updated)
       if !params['user']['password'].blank? # password updated?
         logout_user t('preferences.password_changed')
@@ -33,6 +33,20 @@ class PreferencesController < ApplicationController
 
 private
 
+  def prefs_params
+    params.require(:prefs).permit(
+      :date_format, :week_starts, :show_number_completed, 
+      :show_completed_projects_in_sidebar, :show_hidden_contexts_in_sidebar, 
+      :staleness_starts, :due_style, :locale, :title_date_format, :time_zone, 
+      :show_hidden_projects_in_sidebar, :show_project_on_todo_done, 
+      :review_period, :refresh, :verbose_action_descriptors, 
+      :mobile_todos_per_page, :sms_email, :sms_context_id)
+  end
+
+  def user_params
+    params.require(:user).permit(:login, :first_name, :last_name, :password_confirmation, :password, :auth_type, :open_id_url)
+  end
+
   # Display notification if preferences are successful updated
   def preference_updated
     notify :notice, t('preferences.updated')

app/controllers/projects_controller.rb

@@ -173,7 +173,7 @@ class ProjectsController < ApplicationController
       render_failure "Expected post format is valid xml like so: <project><name>project name</name></project>.", 400
       return
     end
-    @project = current_user.projects.build(params['project'])
+    @project = current_user.projects.build(project_params)
     @go_to_project = params['go_to_project']
     @saved = @project.save
     @project_not_done_counts = { @project.id => 0 }
@@ -212,7 +212,7 @@ class ProjectsController < ApplicationController
       params['project']['name'] = params['value']
     end
 
-    @project.attributes = params['project']
+    @project.attributes = project_params
     @saved = @project.save
     if @saved
       @project.transition_to(@new_state) if @state_changed
@@ -342,4 +342,10 @@ class ProjectsController < ApplicationController
     end
   end
 
+  private
+
+  def project_params
+    params.require(:project).permit(:name, :position, :user_id, :description, :state, :default_context_id, :default_tags)
+  end
+
 end

app/controllers/recurring_todos_controller.rb

@@ -89,7 +89,7 @@ class RecurringTodosController < ApplicationController
       params["recurring_todo"]["weekly_return_"+day]=' ' if params["recurring_todo"]["weekly_return_"+day].nil?
     end
 
-    @saved = @recurring_todo.update_attributes params["recurring_todo"]
+    @saved = @recurring_todo.update_attributes recurring_todo_params
 
     respond_to do |format|
       format.js
@@ -97,7 +97,7 @@ class RecurringTodosController < ApplicationController
   end
 
   def create
-    p = RecurringTodoCreateParamsHelper.new(params)
+    p = RecurringTodoCreateParamsHelper.new(params, recurring_todo_params)
     p.attributes['end_date']=parse_date_per_user_prefs(p.attributes['end_date'])
     p.attributes['start_from']=parse_date_per_user_prefs(p.attributes['start_from'])
 
@@ -207,9 +207,9 @@ class RecurringTodosController < ApplicationController
 
   class RecurringTodoCreateParamsHelper
 
-    def initialize(params)
+    def initialize(params, recurring_todo_params)
       @params = params['request'] || params
-      @attributes = params['request'] && params['request']['recurring_todo']  || params['recurring_todo']
+      @attributes = recurring_todo_params
 
       # make sure all selectors (recurring_period, recurrence_selector,
       # daily_selector, monthly_selector and yearly_selector) are first in hash
@@ -259,6 +259,25 @@ class RecurringTodosController < ApplicationController
 
   private
 
+  def recurring_todo_params
+    params.require(:recurring_todo).permit(
+      # model attributes
+      :context_id, :project_id, :description, :notes, :state, :start_from, 
+      :ends_on, :end_date, :number_of_occurences, :occurences_count, :target, 
+      :show_from_delta, :recurring_period, :recurrence_selector, :every_other1, 
+      :every_other2, :every_other3, :every_day, :only_work_days, :every_count, 
+      :weekday, :show_always,
+      # form attributes
+      :recurring_period, :daily_selector, :monthly_selector, :yearly_selector, 
+      :recurring_target, :daily_every_x_days, :monthly_day_of_week, 
+      :monthly_every_x_day, :monthly_every_x_month2, :monthly_every_x_month, 
+      :monthly_every_xth_day, :recurring_show_days_before, 
+      :recurring_show_always, :weekly_every_x_week, :weekly_return_monday,
+      :yearly_day_of_week, :yearly_every_x_day, :yearly_every_xth_day, 
+      :yearly_month_of_year2, :yearly_month_of_year
+      )
+  end
+
   def init
     @days_of_week = []
     0.upto 6 do |i|

app/controllers/todos/todo_create_params_helper.rb

@@ -5,7 +5,7 @@ module Todos
 
     def initialize(params, user)
       set_params(params)
-      filter_attributes
+      filter_attributes(params)
       filter_tags
       filter_starred
 
@@ -20,8 +20,12 @@ module Todos
       @params = params['request'] || params
     end
 
-    def filter_attributes
-      @attributes = @params['request'] && @params['request']['todo'] || @params['todo']
+    def filter_attributes(params)
+      if params[:request]
+        @attributes = todo_params(params[:request])
+      else
+        @attributes = todo_params(params)
+      end
       @attributes = {} if @attributes.nil?  # make sure there is at least an empty hash
 		end
 
@@ -116,6 +120,24 @@ module Todos
 
     private
 
+    def todo_params(params)
+      # keep :predecessor_dependencies from being filterd (for XML API). 
+      # The permit cannot handle multiple precessors
+      deps = params[:todo][:predecessor_dependencies][:predecessor] if params[:todo][:predecessor_dependencies]
+
+      filtered = params.require(:todo).permit(
+        :context_id, :project_id, :description, :notes, 
+        :due, :show_from, :state, 
+        # XML API
+        :tags => [:tag => [:name]],
+        :context => [:name],
+        :project => [:name])
+
+      # add back :predecessor_dependencies
+      filtered[:predecessor_dependencies] = {:predecessor => deps } unless deps.nil?
+      filtered
+    end
+
     def find_or_create_group(group_type, set, name)
       return set_id_by_name(group_type, set, name) if specified_by_name?(group_type)
       return set_id_by_id_string(group_type, set, @attributes["#{group_type}_id"]) if specified_by_id?(group_type)

app/controllers/todos_controller.rb

@@ -428,7 +428,7 @@ class TodosController < ApplicationController
     determine_changes_by_this_update
     determine_remaining_in_container_count( (@context_changed || @project_changed) ? @original_item : @todo)
     determine_down_count
-    determine_deferred_tag_count(params['_tag_name']) if source_view_is(:tag)
+    determine_deferred_tag_count(sanitize(params['_tag_name'])) if source_view_is(:tag)
 
     @todo.touch_predecessors if @original_item_description != @todo.description
 
@@ -1219,7 +1219,10 @@ class TodosController < ApplicationController
   end
 
   def update_attributes_of_todo
-    @todo.attributes = params["todo"]
+    # TODO: duplication with todo_create_params_helper
+    @todo.attributes = params.require(:todo).permit(
+        :context_id, :project_id, :description, :notes, 
+        :due, :show_from, :state)
   end
 
   def determine_changes_by_this_update

app/controllers/users_controller.rb

@@ -78,7 +78,7 @@ class UsersController < ApplicationController
           return
         end
 
-        user = User.new(params['user'])
+        user = User.new(user_params)
 
         unless user.valid?
           session['new_user'] = user
@@ -108,8 +108,8 @@ class UsersController < ApplicationController
           render_failure "Expected post format is valid xml like so: <user><login>username</login><password>abc123</password></user>.", 400
           return
         end
-        user = User.new(params[:user])
-        user.password_confirmation = params[:user][:password]
+        user = User.new(user_params)
+        user.password_confirmation = user_params[:password]
         saved = user.save
         unless user.new_record?
           render :text => t('users.user_created'), :status => 200
@@ -147,7 +147,7 @@ class UsersController < ApplicationController
 
   def update_password
     # is used for focing password change after sha->bcrypt upgrade
-    current_user.change_password(params[:user][:password], params[:user][:password_confirmation])
+    current_user.change_password(user_params[:password], user_params[:password_confirmation])
     notify :notice, t('users.password_updated')
     redirect_to preferences_path
   rescue Exception => error
@@ -160,7 +160,7 @@ class UsersController < ApplicationController
   end
 
   def update_auth_type
-    current_user.auth_type = params[:user][:auth_type]
+    current_user.auth_type = user_params[:auth_type]
     if current_user.save
       notify :notice, t('users.auth_type_updated')
       redirect_to preferences_path
@@ -179,6 +179,10 @@ class UsersController < ApplicationController
 
   private
 
+  def user_params
+    params.require(:user).permit(:login, :first_name, :last_name, :password_confirmation, :password, :auth_type, :open_id_url)
+  end
+
   def get_new_user
     if session['new_user']
       user = session['new_user']