We are now explicitly whitelisting all parameters for Post creation. A nice side-effect is that it cleans up the #create action in PostsController. We can now trust that all parameters entering PostCreator are of a safe scalar type.
When 'must approve users' in enabled, we don't want to send an
activation email to users after they sign up. Instead, we will show them
'waiting approval' and not take an action until their account is
approved by an admin.
All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that.
The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method.
It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
When 'invite only' is enabled, there's no way for a user to create an
account unless they try and sneak in by POSTing to /users/. We will
silently fail if this happens.
The topic_id param is now required using strong_parameters' #require method. If the parameter is missing ActionController::ParameterMissing will be raised instead of Discourse::InvalidParameters.
PostActionsController now uses strong_parameters' #require to require certain parameters. ActionController::ParameterMissing is now thrown when a reqired parameter is missing, rather than Discourse::InvalidParameters.
The email parameter is now required using strong parameters and will throw ActionController::ParameterMissing if it is missing. If the email address is incorrect or invalid, Discourse::InvalidParameters will still be thrown.
Category now requires parameters to be permitted by strong_parameters using #require or #permit for mass-assignment. Missing required parameters now throw a ActionController::ParameterMissing execption instead of the Discourse::InvalidParameters execption.
We want to skip the filter for sessions controller so that we can login
and we want to skip the filter for static pages because those should be
visible to visitors.