app/controllers/comments_controller.rb in tkh_content-0.9.1 vs app/controllers/comments_controller.rb in tkh_content-0.9.2

@@ -1,25 +1,25 @@
 class CommentsController < ApplicationController
-  
+
   before_filter :authenticate, :except => ['for_feed']
   before_filter :authenticate_with_admin, :except => ['create', 'for_feed']
-  
+
   def index
     @comments = Comment.by_recent.paginate(:page => params[:page], :per_page => 50)
     switch_to_admin_layout
   end
-  
+
   # comments are shown within a page
   # new comments are created by users from within a page
 
   def edit
-    @comment = Comment.find params[:id]
+    @comment = Comment.find(params[:id])
     switch_to_admin_layout
   end
 
   def create
-    @comment = Comment.new params[:comment]
+    @comment = Comment.new(comment_params)
     @comment.author_id = current_user.id
     @comment.locale = I18n.locale.to_s
     @comment.status = 'pending' # translation not done with globalize3 but with locale files upon showing status to user
     if @comment.save
       redirect_to @comment.page, notice: t('comments.create.notice')
@@ -28,11 +28,11 @@
     end
   end
 
   def update
     @comment = Comment.find(params[:id])
-    if @comment.update_attributes(params[:comment])
+    if @comment.update_attributes(comment_params)
       redirect_to comments_path, notice: t('comments.update.notice')
     else
       render action: "edit", warning: t('comments.update.warning'), layout: 'admin'
     end
   end
@@ -40,50 +40,58 @@
   def destroy
     @comment = Comment.find(params[:id])
     @comment.destroy
     redirect_to comments_url, notice: t('comments.destroy.notice')
   end
-  
+
   def accept
     @comment = Comment.find params[:id]
     @comment.status = 'accepted'
     if @comment.save
       redirect_to :back, notice: t('comments.moderation.accept.notice')
     else
       redirect_to comments_path, warning: t('comments.moderation.accept.warning')
     end
   end
-  
+
   def block
     @comment = Comment.find params[:id]
     @comment.status = 'blocked'
     if @comment.save
       redirect_to :back, notice: t('comments.moderation.block.notice')
     else
       redirect_to comments_path, warning: t('comments.moderation.block.warning')
     end
   end
-  
+
   def pending
     @comments = Comment.pending.by_created.paginate(:page => params[:page], :per_page => 50)
     switch_to_admin_layout
   end
-  
+
   def accepted
     @comments = Comment.accepted.by_recent.paginate(:page => params[:page], :per_page => 50)
     switch_to_admin_layout
   end
 
   def blocked
     @comments = Comment.blocked.by_recent.paginate(:page => params[:page], :per_page => 50)
     switch_to_admin_layout
   end
-  
+
   def for_feed
     @comments = Comment.showable.for_locale(I18n.locale).by_recently_created.limit(50)
     respond_to do |format|
       format.html { redirect_to root_path }
       format.atom
     end
   end
-  
+
+  private
+
+  # Never trust parameters from the scary internet, only allow the white list through.
+  def comment_params
+    params.require(:comment).permit(:body, :page_id)
+    # non-accessible attributes: author_id, :status, :locale
+  end
+
 end