Use strong parameters.

9 files changed, 36 insertions, 40 deletions

diff --git a/app/controllers/refinery/blog/admin/categories_controller.rb b/app/controllers/refinery/blog/admin/categories_controller.rb
index 0a3b7b9..e9f2f89 100644
--- a/app/controllers/refinery/blog/admin/categories_controller.rb
+++ b/app/controllers/refinery/blog/admin/categories_controller.rb
@@ -6,6 +6,11 @@ module Refinery
         crudify :'refinery/blog/category',
                 :order => 'title ASC'
 
+        private
+
+        def category_params
+          params.require(:category).permit(:title)
+        end
       end
     end
   end
diff --git a/app/controllers/refinery/blog/admin/posts_controller.rb b/app/controllers/refinery/blog/admin/posts_controller.rb
index 81bdc81..d01bba9 100644
--- a/app/controllers/refinery/blog/admin/posts_controller.rb
+++ b/app/controllers/refinery/blog/admin/posts_controller.rb
@@ -38,12 +38,12 @@ module Refinery
         def create
           # if the position field exists, set this object as last object, given the conditions of this class.
           if Refinery::Blog::Post.column_names.include?("position")
-            params[:post].merge!({
+            post_params.merge!({
               :position => ((Refinery::Blog::Post.maximum(:position, :conditions => "")||-1) + 1)
             })
           end
 
-          if (@post = Refinery::Blog::Post.create(params[:post])).valid?
+          if (@post = Refinery::Blog::Post.create(post_params)).valid?
             (request.xhr? ? flash.now : flash).notice = t(
               'refinery.crudify.created',
               :what => "'#{@post.title}'"
@@ -75,7 +75,16 @@ module Refinery
           end
         end
 
+      private
+
+        def post_params
+          params.require(:post).permit(:title, :body, :custom_teaser, :tag_list,
+            :draft, :published_at, :custom_url, :user_id, :browser_title,
+            :meta_description, :source_url, :source_url_title, :category_ids => [])
+        end
+
       protected
+
         def find_post
           @post = Refinery::Blog::Post.find_by_slug_or_id(params[:id])
         end
@@ -85,7 +94,7 @@ module Refinery
         end
 
         def check_category_ids
-          params[:post][:category_ids] ||= []
+          post_params[:category_ids] ||= []
         end
       end
     end
diff --git a/app/controllers/refinery/blog/blog_controller.rb b/app/controllers/refinery/blog/blog_controller.rb
index 6327199..0c50c95 100644
--- a/app/controllers/refinery/blog/blog_controller.rb
+++ b/app/controllers/refinery/blog/blog_controller.rb
@@ -10,7 +10,7 @@ module Refinery
       protected
 
         def find_page
-          @page = Refinery::Page.find_by_link_url(Refinery::Blog.page_url)
+          @page = Refinery::Page.find_by(:link_url => Refinery::Blog.page_url)
         end
     end
   end
diff --git a/app/controllers/refinery/blog/posts_controller.rb b/app/controllers/refinery/blog/posts_controller.rb
index 20ac12b..1cc9698 100644
--- a/app/controllers/refinery/blog/posts_controller.rb
+++ b/app/controllers/refinery/blog/posts_controller.rb
@@ -2,7 +2,7 @@ module Refinery
   module Blog
     class PostsController < BlogController
 
-      before_filter :paginate_all_blog_posts, :except => [:archive]
+      before_filter :find_all_blog_posts, :except => [:archive]
       before_filter :find_blog_post, :only => [:show, :comment, :update_nav]
       before_filter :find_tags
 
@@ -37,7 +37,7 @@ module Refinery
       end
 
       def comment
-        @comment = @post.comments.create(params[:comment])
+        @comment = @post.comments.create(comment_params)
         if @comment.valid?
           if Comment::Moderation.enabled? or @comment.ham?
             begin
@@ -81,6 +81,12 @@ module Refinery
         @posts = Post.live.tagged_with(@tag_name).page(params[:page])
       end
 
+    private
+
+      def comment_params
+        params.require(:comment).permit(:name, :email, :message)
+      end
+
     protected
       def canonical?
         Refinery::I18n.default_frontend_locale != Refinery::I18n.current_frontend_locale
diff --git a/app/helpers/refinery/blog/controller_helper.rb b/app/helpers/refinery/blog/controller_helper.rb
index 4bec046..a300148 100644
--- a/app/helpers/refinery/blog/controller_helper.rb
+++ b/app/helpers/refinery/blog/controller_helper.rb
@@ -5,10 +5,9 @@ module Refinery
       protected
 
         def find_blog_post
-          @post = all_blog_posts.friendly.find(params[:id])
-          unless @post.try(:live?)
-            if refinery_user? && current_refinery_user.authorized_plugins.include?("refinerycms_blog")
-              @post = Post.friendly.find(params[:id])
+          unless (@post = Refinery::Blog::Post.with_globalize.friendly.find(params[:id])).try(:live?)
+            if refinery_user? and current_refinery_user.authorized_plugins.include?("refinerycms_blog")
+              @post = Refinery::Blog::Post.friendly.find(params[:id])
             else
               error_404
             end
@@ -16,7 +15,7 @@ module Refinery
         end
 
         def find_all_blog_posts
-          @posts = all_blog_posts.live
+          @posts = Refinery::Blog::Post.live.includes(:comments, :categories).with_globalize.page(params[:page])
         end
 
         def find_tags
diff --git a/app/models/refinery/blog/categorization.rb b/app/models/refinery/blog/categorization.rb
index 7ca9c77..b7dbcc8 100644
--- a/app/models/refinery/blog/categorization.rb
+++ b/app/models/refinery/blog/categorization.rb
@@ -6,7 +6,6 @@ module Refinery
       belongs_to :blog_post, :class_name => 'Refinery::Blog::Post', :foreign_key => :blog_post_id
       belongs_to :blog_category, :class_name => 'Refinery::Blog::Category', :foreign_key => :blog_category_id
 
-      attr_accessible :blog_category_id, :blog_post_id
     end
   end
 end
diff --git a/app/models/refinery/blog/category.rb b/app/models/refinery/blog/category.rb
index acab8bf..5cf4ea5 100644
--- a/app/models/refinery/blog/category.rb
+++ b/app/models/refinery/blog/category.rb
@@ -1,10 +1,10 @@
 module Refinery
   module Blog
     class Category < ActiveRecord::Base
+      extend FriendlyId
 
       translates :title, :slug
 
-      extend FriendlyId
       friendly_id :title, :use => [:slugged, :globalize]
 
       has_many :categorizations, :dependent => :destroy, :foreign_key => :blog_category_id
@@ -12,13 +12,6 @@ module Refinery
 
       validates :title, :presence => true, :uniqueness => true
 
-      attr_accessible :title
-      attr_accessor :locale
-
-      class Translation
-        attr_accessible :locale
-      end
-
       def self.translated
         with_translations(::Globalize.locale)
       end
diff --git a/app/models/refinery/blog/comment.rb b/app/models/refinery/blog/comment.rb
index ae35a59..be94238 100644
--- a/app/models/refinery/blog/comment.rb
+++ b/app/models/refinery/blog/comment.rb
@@ -2,8 +2,6 @@ module Refinery
   module Blog
     class Comment < ActiveRecord::Base
 
-      attr_accessible :name, :email, :message
-
       filters_spam author_field: :name, email_field: :email, message_field: :body
 
       belongs_to :post, foreign_key: 'blog_post_id'
diff --git a/app/models/refinery/blog/post.rb b/app/models/refinery/blog/post.rb
index 1c2cf04..005ec29 100644
--- a/app/models/refinery/blog/post.rb
+++ b/app/models/refinery/blog/post.rb
@@ -4,51 +4,38 @@ require 'seo_meta'
 module Refinery
   module Blog
     class Post < ActiveRecord::Base
+      extend FriendlyId
 
       translates :title, :body, :custom_url, :custom_teaser, :slug, :include => :seo_meta
 
-      extend FriendlyId
       friendly_id :friendly_id_source, :use => [:slugged, :globalize]
 
-      is_seo_meta if self.table_exists?
-
-      belongs_to :author, proc{ readonly(true) }, :class_name => Refinery::Blog.user_class.to_s, :foreign_key => :user_id
+      is_seo_meta
 
-      has_many :comments, :dependent => :destroy, :foreign_key => :blog_post_id
       acts_as_taggable
 
+      belongs_to :author, proc { readonly(true) }, :class_name => Refinery::Blog.user_class.to_s, :foreign_key => :user_id
+      has_many :comments, :dependent => :destroy, :foreign_key => :blog_post_id
       has_many :categorizations, :dependent => :destroy, :foreign_key => :blog_post_id
       has_many :categories, :through => :categorizations, :source => :blog_category
 
       validates :title, :presence => true, :uniqueness => true
       validates :body,  :presence => true
       validates :published_at, :author, :presence => true
-
       validates :source_url, :url => { :if => 'Refinery::Blog.validate_source_url',
                                       :update => true,
                                       :allow_nil => true,
                                       :allow_blank => true,
                                       :verify => [:resolve_redirects]}
 
-      attr_accessible :title, :body, :custom_teaser, :tag_list, :draft, :published_at, :custom_url, :author
-      attr_accessible :browser_title, :meta_description, :user_id, :category_ids
-      attr_accessible :source_url, :source_url_title
-      attr_accessor :locale
-
       class Translation
         is_seo_meta
-        attr_accessible :browser_title, :meta_description, :locale
       end
 
-      # Delegate SEO Attributes to globalize3 translation
+      # Delegate SEO Attributes to globalize translation
       seo_fields = ::SeoMeta.attributes.keys.map{|a| [a, :"#{a}="]}.flatten
       delegate(*(seo_fields << {:to => :translation}))
 
-      before_save do |m|
-        m.translation.globalized_model = self
-        m.translation.save if m.translation.new_record?
-      end
-
       self.per_page = Refinery::Blog.posts_per_page
 
       def next