From f50b6488444a38a4fdf017caa0d546a6895e59f0 Mon Sep 17 00:00:00 2001
From: Ian Christian Myers <ian@iancmyers.com>
Date: Wed, 5 Jun 2013 00:23:51 -0700
Subject: [PATCH] Implemented strong_parameters for
 PostAction/PostActionsController.

PostActionsController now uses strong_parameters' #require to require certain parameters. ActionController::ParameterMissing is now thrown when a reqired parameter is missing, rather than Discourse::InvalidParameters.
---
 app/controllers/post_actions_controller.rb       |  4 ++--
 app/models/post_action.rb                        |  1 +
 spec/controllers/post_actions_controller_spec.rb | 12 ++++++------
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/app/controllers/post_actions_controller.rb b/app/controllers/post_actions_controller.rb
index bc7819344..5174a1800 100644
--- a/app/controllers/post_actions_controller.rb
+++ b/app/controllers/post_actions_controller.rb
@@ -70,7 +70,7 @@ class PostActionsController < ApplicationController
   private
 
     def fetch_post_from_params
-      requires_parameter(:id)
+      params.require(:id)
       finder = Post.where(id: params[:id])
 
       # Include deleted posts if the user is a moderator (to guardian ?)
@@ -81,7 +81,7 @@ class PostActionsController < ApplicationController
     end
 
     def fetch_post_action_type_id_from_params
-      requires_parameter(:post_action_type_id)
+      params.require(:post_action_type_id)
       @post_action_type_id = params[:post_action_type_id].to_i
     end
 end
diff --git a/app/models/post_action.rb b/app/models/post_action.rb
index 46991c3c5..4ac3a9ec6 100644
--- a/app/models/post_action.rb
+++ b/app/models/post_action.rb
@@ -5,6 +5,7 @@ require_dependency 'trashable'
 class PostAction < ActiveRecord::Base
   class AlreadyActed < StandardError; end
 
+  include ActiveModel::ForbiddenAttributesProtection
   include RateLimiter::OnCreateRecord
   include Trashable
 
diff --git a/spec/controllers/post_actions_controller_spec.rb b/spec/controllers/post_actions_controller_spec.rb
index 3c0fed3d2..9c7b8e8df 100644
--- a/spec/controllers/post_actions_controller_spec.rb
+++ b/spec/controllers/post_actions_controller_spec.rb
@@ -14,11 +14,11 @@ describe PostActionsController do
       end
 
       it 'raises an error when the id is missing' do
-        lambda { xhr :post, :create, post_action_type_id: PostActionType.types[:like] }.should raise_error(Discourse::InvalidParameters)
+        lambda { xhr :post, :create, post_action_type_id: PostActionType.types[:like] }.should raise_error(ActionController::ParameterMissing)
       end
 
       it 'raises an error when the post_action_type_id index is missing' do
-        lambda { xhr :post, :create, id: @post.id }.should raise_error(Discourse::InvalidParameters)
+        lambda { xhr :post, :create, id: @post.id }.should raise_error(ActionController::ParameterMissing)
       end
 
       it "fails when the user doesn't have permission to see the post" do
@@ -70,7 +70,7 @@ describe PostActionsController do
       let!(:user) { log_in }
 
       it 'raises an error when the post_action_type_id is missing' do
-        lambda { xhr :delete, :destroy, id: post.id }.should raise_error(Discourse::InvalidParameters)
+        lambda { xhr :delete, :destroy, id: post.id }.should raise_error(ActionController::ParameterMissing)
       end
 
       it "returns 404 when the post action type doesn't exist for that user" do
@@ -116,7 +116,7 @@ describe PostActionsController do
       let!(:user) { log_in(:moderator) }
 
       it "raises an error without a post_action_type_id" do
-        -> { xhr :post, :clear_flags, id: flagged_post.id }.should raise_error(Discourse::InvalidParameters)
+        -> { xhr :post, :clear_flags, id: flagged_post.id }.should raise_error(ActionController::ParameterMissing)
       end
 
       it "raises an error when the user doesn't have access" do
@@ -160,13 +160,13 @@ describe PostActionsController do
     it 'raises an error without an id' do
       lambda {
         xhr :get, :users, post_action_type_id: PostActionType.types[:like]
-      }.should raise_error(Discourse::InvalidParameters)
+      }.should raise_error(ActionController::ParameterMissing)
     end
 
     it 'raises an error without a post action type' do
       lambda {
         xhr :get, :users, id: post.id
-      }.should raise_error(Discourse::InvalidParameters)
+      }.should raise_error(ActionController::ParameterMissing)
     end
 
     it "fails when the user doesn't have permission to see the post" do