move to strong_parameters of rails4.

app/controllers/preferences_controller.rb

@@ -9,8 +9,8 @@ class PreferencesController < ApplicationController
   def update
     @prefs = current_user.prefs
     @user = current_user
-    user_updated = current_user.update_attributes(params['user'])
-    prefs_updated = current_user.preference.update_attributes(params['prefs'])
+    user_updated = current_user.update_attributes(user_params)
+    prefs_updated = current_user.preference.update_attributes(prefs_params)
     if (user_updated && prefs_updated)
       if !params['user']['password'].blank? # password updated?
         logout_user t('preferences.password_changed')
@@ -33,6 +33,20 @@ class PreferencesController < ApplicationController
 
 private
 
+  def prefs_params
+    params.require(:prefs).permit(
+      :date_format, :week_starts, :show_number_completed, 
+      :show_completed_projects_in_sidebar, :show_hidden_contexts_in_sidebar, 
+      :staleness_starts, :due_style, :locale, :title_date_format, :time_zone, 
+      :show_hidden_projects_in_sidebar, :show_project_on_todo_done, 
+      :review_period, :refresh, :verbose_action_descriptors, 
+      :mobile_todos_per_page, :sms_email, :sms_context_id)
+  end
+
+  def user_params
+    params.require(:user).permit(:login, :first_name, :last_name, :password_confirmation, :password, :auth_type, :open_id_url)
+  end
+
   # Display notification if preferences are successful updated
   def preference_updated
     notify :notice, t('preferences.updated')