5 files changed, 33 insertions, 9 deletions

diff --git a/app/controllers/refinery/blog/admin/categories_controller.rb b/app/controllers/refinery/blog/admin/categories_controller.rb
index 0a3b7b9..e9f2f89 100644
--- a/app/controllers/refinery/blog/admin/categories_controller.rb
+++ b/app/controllers/refinery/blog/admin/categories_controller.rb
@@ -6,6 +6,11 @@ module Refinery
         crudify :'refinery/blog/category',
                 :order => 'title ASC'
 
+        private
+
+        def category_params
+          params.require(:category).permit(:title)
+        end
       end
     end
   end
diff --git a/app/controllers/refinery/blog/admin/posts_controller.rb b/app/controllers/refinery/blog/admin/posts_controller.rb
index 81bdc81..d01bba9 100644
--- a/app/controllers/refinery/blog/admin/posts_controller.rb
+++ b/app/controllers/refinery/blog/admin/posts_controller.rb
@@ -38,12 +38,12 @@ module Refinery
         def create
           # if the position field exists, set this object as last object, given the conditions of this class.
           if Refinery::Blog::Post.column_names.include?("position")
-            params[:post].merge!({
+            post_params.merge!({
               :position => ((Refinery::Blog::Post.maximum(:position, :conditions => "")||-1) + 1)
             })
           end
 
-          if (@post = Refinery::Blog::Post.create(params[:post])).valid?
+          if (@post = Refinery::Blog::Post.create(post_params)).valid?
             (request.xhr? ? flash.now : flash).notice = t(
               'refinery.crudify.created',
               :what => "'#{@post.title}'"
@@ -75,7 +75,16 @@ module Refinery
           end
         end
 
+      private
+
+        def post_params
+          params.require(:post).permit(:title, :body, :custom_teaser, :tag_list,
+            :draft, :published_at, :custom_url, :user_id, :browser_title,
+            :meta_description, :source_url, :source_url_title, :category_ids => [])
+        end
+
       protected
+
         def find_post
           @post = Refinery::Blog::Post.find_by_slug_or_id(params[:id])
         end
@@ -85,7 +94,7 @@ module Refinery
         end
 
         def check_category_ids
-          params[:post][:category_ids] ||= []
+          post_params[:category_ids] ||= []
         end
       end
     end
diff --git a/app/controllers/refinery/blog/blog_controller.rb b/app/controllers/refinery/blog/blog_controller.rb
index 6327199..0c50c95 100644
--- a/app/controllers/refinery/blog/blog_controller.rb
+++ b/app/controllers/refinery/blog/blog_controller.rb
@@ -10,7 +10,7 @@ module Refinery
       protected
 
         def find_page
-          @page = Refinery::Page.find_by_link_url(Refinery::Blog.page_url)
+          @page = Refinery::Page.find_by(:link_url => Refinery::Blog.page_url)
         end
     end
   end
diff --git a/app/controllers/refinery/blog/categories_controller.rb b/app/controllers/refinery/blog/categories_controller.rb
index 23a835a..b5ab574 100644
--- a/app/controllers/refinery/blog/categories_controller.rb
+++ b/app/controllers/refinery/blog/categories_controller.rb
@@ -3,7 +3,7 @@ module Refinery
     class CategoriesController < BlogController
 
       def show
-        @category = Refinery::Blog::Category.find(params[:id])
+        @category = Refinery::Blog::Category.friendly.find(params[:id])
         @posts = @category.posts.live.includes(:comments, :categories).with_globalize.page(params[:page])
       end
 
diff --git a/app/controllers/refinery/blog/posts_controller.rb b/app/controllers/refinery/blog/posts_controller.rb
index 05cd2d6..1cc9698 100644
--- a/app/controllers/refinery/blog/posts_controller.rb
+++ b/app/controllers/refinery/blog/posts_controller.rb
@@ -10,9 +10,12 @@ module Refinery
 
       def index
         if request.format.rss?
-          @posts = Post.live.includes(:comments, :categories)
-          # limit rss feed for services (like feedburner) who have max size
-          @posts = Post.recent(params["max_results"]) if params["max_results"].present?
+          @posts = if params["max_results"].present?
+            # limit rss feed for services (like feedburner) who have max size
+            Post.recent(params["max_results"])
+          else
+            Post.newest_first.live.includes(:comments, :categories)
+          end
         end
         respond_with (@posts) do |format|
           format.html
@@ -34,7 +37,8 @@ module Refinery
       end
 
       def comment
-        if (@comment = @post.comments.create(params[:comment])).valid?
+        @comment = @post.comments.create(comment_params)
+        if @comment.valid?
           if Comment::Moderation.enabled? or @comment.ham?
             begin
               CommentMailer.notification(@comment, request).deliver
@@ -77,6 +81,12 @@ module Refinery
         @posts = Post.live.tagged_with(@tag_name).page(params[:page])
       end
 
+    private
+
+      def comment_params
+        params.require(:comment).permit(:name, :email, :message)
+      end
+
     protected
       def canonical?
         Refinery::I18n.default_frontend_locale != Refinery::I18n.current_frontend_locale