rails5: drop unsecure and unsupported protected_attributes

Braulio Bhavamitra
1 parent b3ca57de
Showing 173 changed files with 99 additions and 530 deletions Show diff stats
Gemfile
app/controllers/my_profile/cms_controller.rb
app/controllers/my_profile/manage_products_controller.rb
app/controllers/my_profile/profile_roles_controller.rb
app/mailers/mailing.rb
app/models/abuse_report.rb
app/models/action_tracker_notification.rb
app/models/approve_comment.rb
app/models/article.rb
app/models/article_block.rb
app/models/block.rb
app/models/blog.rb
app/models/box.rb
app/models/categories_block.rb
app/models/category.rb
app/models/certifier.rb
app/models/chat_message.rb
app/models/city.rb
app/models/comment.rb
app/models/communities_block.rb
@@ -49,7 +49,6 @@ gem &#39;sass-rails&#39;
 gem 'sprockets-rails', '~> 2.1'
  
 # gems to enable rails3 behaviour
-gem 'protected_attributes'
 gem 'rails-observers', github: 'rails/rails-observers'
 gem 'actionpack-page_caching'
 gem 'actionpack-action_caching'
@@ -207,14 +207,11 @@ class CmsController &lt; MyProfileController
       params[:uploaded_files].each do |file|
         unless file == ''
           @uploaded_files << UploadedFile.create(
-            {
-              :uploaded_data => file,
-              :profile => profile,
-              :parent => @parent,
-              :last_changed_by => user,
-              :author => user,
-            },
-            :without_protection => true
+            uploaded_data:   file,
+            profile:         profile,
+            parent:          @parent,
+            last_changed_by: user,
+            author:          user,
           )
         end
       end
@@ -86,7 +86,7 @@ class ManageProductsController &lt; ApplicationController
     @edit = true
     @level = @category.level
     if request.post?
-      if @product.update({:product_category_id => params[:selected_category_id]}, :without_protection => true)
+      if @product.update product_category_id: params[:selected_category_id]
         render :partial => 'shared/redirect_via_javascript',
           :locals => { :url => url_for(:controller => 'manage_products', :action => 'show', :id => @product) }
       else
@@ -12,7 +12,7 @@ class ProfileRolesController &lt; MyProfileController
   end
  
   def create
-    @role = Role.new({:name => params[:role][:name], :permissions => params[:role][:permissions], :environment => environment }, :without_protection => true)
+    @role = Role.new name: params[:role][:name], permissions: params[:role][:permissions], environment: environment
     if @role.save
       profile.custom_roles << @role
       redirect_to :action => 'show', :id => @role
@@ -4,8 +4,6 @@ class Mailing &lt; ActiveRecord::Base
  
   acts_as_having_settings :field => :data
  
-  attr_accessible :subject, :body, :data
-
   validates_presence_of :source_id, :subject, :body
   belongs_to :source, :foreign_key => :source_id, :polymorphic => true
   belongs_to :person
 class AbuseReport < ActiveRecord::Base
  
-  attr_accessible :content, :reason
-
   belongs_to :reporter, :class_name => 'Person'
   belongs_to :abuse_complaint
   has_many :reported_images, :dependent => :destroy
@@ -8,8 +8,6 @@ class ActionTrackerNotification &lt; ActiveRecord::Base
   validates_presence_of :profile_id, :action_tracker_id
   validates_uniqueness_of :action_tracker_id, :scope => :profile_id
  
-  attr_accessible :profile_id, :action_tracker_id
-
 end
  
 ActionTracker::Record.has_many :action_tracker_notifications, :class_name => 'ActionTrackerNotification', :foreign_key => 'action_tracker_id', :dependent => :destroy
@@ -8,7 +8,7 @@ class ApproveComment &lt; Task
   def comment
     unless @comment || self.comment_attributes.nil?
       @comment = Comment.new
-      @comment.assign_attributes(ActiveSupport::JSON.decode(self.comment_attributes.to_s), :without_protection => true)
+      @comment.assign_attributes ActiveSupport::JSON.decode(self.comment_attributes.to_s)
     end
     @comment
   end
  
 class Article < ActiveRecord::Base
  
-  attr_accessible :name, :body, :abstract, :profile, :tag_list, :parent,
-                  :allow_members_to_edit, :translation_of_id, :language,
-                  :license_id, :parent_id, :display_posts_in_current_language,
-                  :category_ids, :posts_per_page, :moderate_comments,
-                  :accept_comments, :feed, :published, :source, :source_name,
-                  :highlighted, :notify_comments, :display_hits, :slug,
-                  :external_feed_builder, :display_versions, :external_link,
-                  :image_builder, :show_to_followers,
-                  :author, :display_preview, :published_at, :person_followers
-
   acts_as_having_image
   include Noosfero::Plugin::HotSpot
  
 class ArticleBlock < Block
  
-  attr_accessible :article_id
-
   def self.description
     _('Display one of your contents.')
   end
 class Block < ActiveRecord::Base
  
-  attr_accessible :title, :subtitle, :display, :limit, :box_id, :posts_per_page,
-                  :visualization_format, :language, :display_user,
-                  :box, :edit_modes, :move_modes, :mirror
-
   include ActionView::Helpers::TagHelper
  
   # Block-specific stuff
 class Blog < Folder
  
-  attr_accessible :visualization_format
-
   acts_as_having_posts
   include PostsLimit
  
@@ -55,7 +53,7 @@ class Blog &lt; Folder
       if self.external_feed(true) && self.external_feed.id == self.external_feed_data[:id].to_i
         self.external_feed.attributes = self.external_feed_data.except(:id)
       else
-        self.build_external_feed(self.external_feed_data, :without_protection => true)
+        self.build_external_feed self.external_feed_data
       end
       self.external_feed.valid?
       self.external_feed.errors.delete(:blog_id) # dont validate here relation: external_feed <-> blog
@@ -5,8 +5,6 @@ class Box &lt; ActiveRecord::Base
   belongs_to :owner, :polymorphic => true
   has_many :blocks, -> { order 'position' }, dependent: :destroy
  
-  attr_accessible :owner
-
   include Noosfero::Plugin::HotSpot
  
   scope :with_position, -> { where 'boxes.position > 0' }
@@ -8,8 +8,6 @@ class CategoriesBlock &lt; Block
  
   settings_items :category_types, :type => Array, :default => []
  
-  attr_accessible :category_types
-
   def self.description
     _("Categories Menu")
   end
 class Category < ActiveRecord::Base
  
-  attr_accessible :name, :parent_id, :display_color, :display_in_menu, :image_builder, :environment, :parent
-
   SEARCHABLE_FIELDS = {
     :name => {:label => _('Name'), :weight => 10},
     :acronym => {:label => _('Acronym'), :weight => 5},
 class Certifier < ActiveRecord::Base
  
-  attr_accessible :name, :environment
-
   SEARCHABLE_FIELDS = {
     :name => {:label => _('Name'), :weight => 10},
     :description => {:label => _('Description'), :weight => 3},
 class ChatMessage < ActiveRecord::Base
-  attr_accessible :body, :from, :to
  
   belongs_to :to, :class_name => 'Profile'
   belongs_to :from, :class_name => 'Profile'
  
   validates_presence_of :from, :to
+
 end
 class City < Region
-  attr_accessible :name, :parent_id
+
 end
@@ -6,8 +6,6 @@ class Comment &lt; ActiveRecord::Base
     :body => {:label => _('Content'), :weight => 2},
   }
  
-  attr_accessible :body, :author, :name, :email, :title, :reply_of_id, :source, :follow_article
-
   validates_presence_of :body
  
   belongs_to :source, :counter_cache => true, :polymorphic => true
 class CommunitiesBlock < ProfileListBlock
  
-  attr_accessible :accessor_id, :accessor_type, :role_id, :resource_id, :resource_type
-
   def self.description
     _("<p>Display all of your communities.</p><p>You could choose the amount of communities will be displayed and you could priorize that profiles with images.</p> <p>The view all button is always present in the block.</p>")
   end
 class Community < Organization
  
-  attr_accessible :accessor_id, :accessor_type, :role_id, :resource_id, :resource_type
-  attr_accessible :address_reference, :district, :tag_list, :language, :description
   after_destroy :check_invite_member_for_destroy
  
   def self.type_name
@@ -9,15 +9,11 @@ class CreateCommunity &lt; Task
   alias :environment :target
   alias :environment= :target=
  
-  attr_accessible :environment, :requestor, :target
-  attr_accessible :reject_explanation, :template_id
-
   acts_as_having_image
  
   DATA_FIELDS = Community.fields + ['name', 'closed', 'description']
   DATA_FIELDS.each do |field|
     settings_items field.to_sym
-    attr_accessible field.to_sym
   end
  
   settings_items :custom_values
 class CustomField < ActiveRecord::Base
-  attr_accessible :name, :default_value, :format, :extras, :customized_type, :active, :required, :signup, :environment, :moderation_task
+
   serialize :customized_type
   serialize :extras
   has_many :custom_field_values, :dependent => :delete_all
 class CustomFieldValue < ActiveRecord::Base
+
   belongs_to :custom_field
   belongs_to :customized, :polymorphic => true
-  attr_accessible :value, :public, :customized, :custom_field, :customized_type
+
   validate :can_save?
  
   def can_save?
@@ -2,8 +2,6 @@ require &#39;noosfero/multi_tenancy&#39;
  
 class Domain < ActiveRecord::Base
  
-  attr_accessible :name, :owner, :is_default
-
   # relationships
   ###############
  
@@ -2,8 +2,6 @@
 # only enterprises can offer products and services.
 class Enterprise < Organization
  
-  attr_accessible :business_name, :address_reference, :district, :tag_list, :organization_website, :historic_and_current_context, :activities_short_description, :products_per_catalog_page
-
   SEARCH_FILTERS = {
     :order => %w[more_recent more_popular more_active],
     :display => %w[compact full map]
@@ -3,18 +3,6 @@
 # domains.
 class Environment < ActiveRecord::Base
  
-  attr_accessible :name, :is_default, :signup_welcome_text_subject,
-                  :signup_welcome_text_body, :terms_of_use,
-                  :message_for_disabled_enterprise, :news_amount_by_folder,
-                  :default_language, :languages, :description,
-                  :organization_approval_method, :enabled_plugins,
-                  :enabled_features, :redirection_after_login,
-                  :redirection_after_signup, :contact_email, :theme,
-                  :reports_lower_bound, :noreply_email,
-                  :signup_welcome_screen_body, :members_whitelist_enabled,
-                  :members_whitelist, :highlighted_news_amount,
-                  :portal_news_amount, :date_format, :signup_intro
-
   has_many :users
  
   # allow roles use
@@ -3,8 +3,6 @@ require &#39;builder&#39;
  
 class Event < Article
  
-  attr_accessible :start_date, :end_date, :link, :address
-
   def self.type_name
     _('Event')
   end
@@ -10,8 +10,6 @@ class ExternalFeed &lt; ActiveRecord::Base
     where '(fetched_at is NULL) OR (fetched_at < ?)', Time.now - FeedUpdater.update_interval
   }
  
-  attr_accessible :address, :enabled, :only_once
-
   def add_item(title, link, date, content)
     return if content.blank?
     doc = Nokogiri::HTML.fragment content
 class FavoriteEnterprisePerson < ActiveRecord::Base
  
-  attr_accessible :person, :enterprise
-
   track_actions :favorite_enterprise, :after_create, keep_params: [:enterprise_name, :enterprise_url], if: proc{ |f| f.is_trackable? }
  
   belongs_to :enterprise
 class FeaturedProductsBlock < Block
  
-  attr_accessible :product_ids, :groups_of, :speed, :reflect
-
   settings_items :product_ids, :type => Array, :default => []
   settings_items :groups_of, :type => :integer, :default => 3
   settings_items :speed, :type => :integer, :default => 1000
 class FeedReaderBlock < Block
  
-  attr_accessible :address, :update_errors
-
   def initialize(attributes = nil, options = {})
     data = attributes || {}
     super(data)
@@ -3,8 +3,6 @@ class Forum &lt; Folder
   acts_as_having_posts -> { reorder 'updated_at DESC' }
   include PostsLimit
  
-  attr_accessible :has_terms_of_use, :terms_of_use, :topic_creation
-
   settings_items :terms_of_use, :type => :string, :default => ""
   settings_items :has_terms_of_use, :type => :boolean, :default => false
   settings_items :topic_creation, :type => :string, :default => 'self'
 class HighlightsBlock < Block
  
-  attr_accessible :images, :interval, :shuffle, :navigation
-
   settings_items :images, :type => Array, :default => []
   settings_items :interval, :type => 'integer', :default => 4
   settings_items :shuffle, :type => 'boolean', :default => false
 class Image < ActiveRecord::Base
  
-  attr_accessible :uploaded_data, :label, :remove_image
   attr_accessor :remove_image
  
   def self.max_size
 class Input < ActiveRecord::Base
  
-  attr_accessible :product, :product_id, :product_category, :product_category_id,
-    :amount_used, :unit_id, :price_per_unit, :relevant_to_price, :is_from_solidarity_economy
-
   belongs_to :product
   belongs_to :product_category
  
 class License < ActiveRecord::Base
  
-  attr_accessible :name, :url
-
   SEARCHABLE_FIELDS = {
     :name => {:label => _('Name'), :weight => 10},
     :url => {:label => _('URL'), :weight => 5},
@@ -14,8 +12,6 @@ class License &lt; ActiveRecord::Base
   validates_presence_of :slug, :if => lambda {|license| license.name.present?}
   validates_uniqueness_of :slug, :scope => :environment_id
  
-  attr_accessible :environment, :slug
-
   before_validation do |license|
     license.slug ||= license.name.to_slug if license.name.present?
   end
 class LinkArticle < Article
  
-  attr_accessible :reference_article
-
   def self.short_description
     "Article link"
   end
 class LinkListBlock < Block
  
-  attr_accessible :links
-
   ICONS = [
     ['no-icon', _('(No icon)')],
     ['edit', N_('Edit')],
 class LocationBlock < Block
  
-  attr_accessible :zoom, :map_type
-
   settings_items :zoom, :type => :integer, :default => 4
   settings_items :map_type, :type => :string, :default => 'roadmap'
  
 class MailingSent < ActiveRecord::Base
-  attr_accessible :person
+
   belongs_to :mailing
   belongs_to :person
+
 end
 class MyNetworkBlock < Block
  
-  attr_accessible :display, :box
-
   def self.description
     _('My network')
   end
 # Represents any organization of the system
 class Organization < Profile
  
-  attr_accessible :moderated_articles, :foundation_year, :contact_person, :acronym, :legal_form, :economic_activity, :management_information, :cnpj, :display_name, :enable_contact_us
-
   SEARCH_FILTERS = {
     :order => %w[more_recent more_popular more_active],
     :display => %w[compact]
 # A person is the profile of an user holding all relationships with the rest of the system
 class Person < Profile
  
-  attr_accessible :organization, :contact_information, :sex, :birth_date, :cell_phone, :comercial_phone, :jabber_id, :personal_website, :nationality, :address_reference, :district, :schooling, :schooling_status, :formation, :custom_formation, :area_of_study, :custom_area_of_study, :professional_activity, :organization_website, :following_articles
-
   SEARCH_FILTERS = {
     :order => %w[more_recent more_popular more_active],
     :display => %w[compact]
   }
  
-
   def self.type_name
     _('Person')
   end
 class PriceDetail < ActiveRecord::Base
  
-  attr_accessible :price, :production_cost_id
-
   belongs_to :product
   validates_presence_of :product_id
  
@@ -10,9 +10,6 @@ class Product &lt; ActiveRecord::Base
     :display => %w[full map]
   }
  
-  attr_accessible :name, :product_category, :profile, :profile_id, :enterprise,
-    :highlighted, :price, :image_builder, :description, :available, :qualifiers, :unit_id, :discount, :inputs, :qualifiers_list
-
   def self.default_search_display
     'full'
   end
@@ -3,8 +3,6 @@ class ProductCategory &lt; Category
   has_many :products
   has_many :inputs
  
-  attr_accessible :name, :parent, :environment
-
   scope :unique, -> { select 'DISTINCT ON (path) categories.*' }
   scope :by_enterprise, -> enterprise {
     distinct.joins(:products).
 class ProductQualifier < ActiveRecord::Base
  
-  attr_accessible :qualifier, :product, :certifier
-
   belongs_to :qualifier
   belongs_to :product
   belongs_to :certifier
+
 end
 class ProductionCost < ActiveRecord::Base
  
-  attr_accessible :name, :owner
-
   belongs_to :owner, :polymorphic => true
+
   validates_presence_of :owner
   validates_presence_of :name
   validates_length_of :name, :maximum => 30, :allow_blank => true
 class ProductsBlock < Block
  
-  attr_accessible :product_ids
-
   include ActionView::Helpers::TagHelper
   include ActionView::Helpers::UrlHelper
   include ActionView::Helpers
@@ -3,10 +3,6 @@
 # which by default is the one returned by Environment:default.
 class Profile < ActiveRecord::Base
  
-  attr_accessible :name, :identifier, :public_profile, :nickname, :custom_footer, :custom_header, :address, :zip_code, :contact_phone, :image_builder, :description, :closed, :template_id, :environment, :lat, :lng, :is_template, :fields_privacy, :preferred_domain_id, :category_ids, :country, :city, :state, :national_region_code, :email, :contact_email, :redirect_l10n, :notification_time,
-    :redirection_after_login, :custom_url_redirection,
-    :email_suggestions, :allow_members_to_invite, :invite_friends_only, :secret, :profile_admin_mail_notification
-
   # use for internationalizable human type names in search facets
   # reimplement on subclasses
   def self.type_name
@@ -2,9 +2,6 @@ class ProfileActivity &lt; ActiveRecord::Base
  
   self.record_timestamps = false
  
-  attr_accessible :profile_id,
-    :profile, :activity
-
   belongs_to :profile
   belongs_to :activity, polymorphic: true
  
 class ProfileImageBlock < Block
  
-  attr_accessible :show_name
-
   settings_items :show_name, :type => :boolean, :default => false
  
   def self.description
 class ProfileListBlock < Block
  
-  attr_accessible :prioritize_profiles_with_image
-
   settings_items :limit, :type => :integer, :default => 6
   settings_items :prioritize_profiles_with_image, :type => :boolean, :default => true
  
 class ProfileSuggestion < ActiveRecord::Base
+
   belongs_to :person
   belongs_to :suggestion, :class_name => 'Profile', :foreign_key => :suggestion_id
  
-  attr_accessible :person, :suggestion, :suggestion_type, :categories, :enabled
-
   has_many :suggestion_connections, :foreign_key => 'suggestion_id'
   has_many :profile_connections, :through => :suggestion_connections, :source => :connection, :source_type => 'Profile'
   has_many :tag_connections, :through => :suggestion_connections, :source => :connection, :source_type => 'ActsAsTaggableOn::Tag'
@@ -67,7 +66,6 @@ class ProfileSuggestion &lt; ActiveRecord::Base
  
   RULES.keys.each do |rule|
     settings_items rule
-    attr_accessible rule
   end
  
   # Number of suggestions by rule
 class Qualifier < ActiveRecord::Base
  
-  attr_accessible :name, :environment
-
   SEARCHABLE_FIELDS = {
     :name => {:label => _('Name'), :weight => 1},
   }
@@ -10,8 +10,6 @@ class RawHTMLBlock &lt; Block
  
   settings_items :html, :type => :text
  
-  attr_accessible :html
-
   def has_macro?
     true
   end
 # Region is a special type of category that is related to geographical issues.
 class Region < Category
  
-  attr_accessible :name
-
   has_and_belongs_to_many :validators, :class_name => 'Organization', :join_table => :region_validators
  
   require_dependency 'enterprise' # enterprises can also be validators
 class RssFeed < Article
  
-  attr_accessible :limit, :enabled, :language, :include, :feed_item_description
-
   def self.type_name
     _('RssFeed')
   end
 class Scrap < ActiveRecord::Base
  
-  attr_accessible :content, :sender_id, :receiver_id, :scrap_id
-
   SEARCHABLE_FIELDS = {
     :content => {:label => _('Content'), :weight => 1},
   }
@@ -5,8 +5,6 @@ class SearchTerm &lt; ActiveRecord::Base
   belongs_to :context, :polymorphic => true
   has_many :occurrences, :class_name => 'SearchTermOccurrence'
  
-  attr_accessible :term, :context, :asset
-
   def self.calculate_scores
     os = occurrences_scores
     find_each { |search_term| search_term.calculate_score(os) }
@@ -2,7 +2,6 @@ class SearchTermOccurrence &lt; ActiveRecord::Base
  
   belongs_to :search_term
   validates_presence_of :search_term
-  attr_accessible :search_term, :created_at, :total, :indexed
  
   EXPIRATION_TIME = 1.year
  
 class SellersSearchBlock < Block
  
-  attr_accessible :title
-
   def self.description
     _('Search for enterprises and products')
   end
@@ -6,8 +6,6 @@ class SlideshowBlock &lt; Block
   settings_items :navigation, :type => 'boolean', :default => false
   settings_items :image_size, :type => 'string', :default => 'thumb'
  
-  attr_accessible :gallery_id, :image_size, :interval, :shuffle, :navigation
-
   def self.description
     _('Slideshow')
   end
 class State < Region
-  attr_accessible :name, :acronym, :environment
+
 end
 class SuggestionConnection < ActiveRecord::Base
-  attr_accessible :suggestion, :suggestion_id, :connection_type, :connection_id
  
   belongs_to :suggestion, :class_name => 'ProfileSuggestion', :foreign_key => 'suggestion_id'
   belongs_to :connection, :polymorphic => true
+
 end
 Tag = ActsAsTaggableOn::Tag
 class Tag
  
-  attr_accessible :name, :parent_id, :pending
-
   has_many :children, class_name: 'Tag', foreign_key: 'parent_id', dependent: :destroy
  
   @@original_find = self.method(:find)
@@ -41,8 +41,6 @@ class Task &lt; ActiveRecord::Base
   validates_uniqueness_of :code, :on => :create
   validates_presence_of :code
  
-  attr_protected :status
-
   settings_items :email_template_id, :type => :integer
  
   def initialize(*args)
 class Thumbnail < ActiveRecord::Base
  
-  attr_accessible :uploaded_data
-  # mass assigned by attachment_fu
-  attr_accessible :content_type, :filename, :thumbnail_resize_options, :thumbnail, :parent_id
-
   has_attachment :storage => :file_system,
     :content_type => :image, :max_size => UploadedFile.max_size, processor: 'Rmagick'
   validates_as_attachment
@@ -2,8 +2,6 @@ class Unit &lt; ActiveRecord::Base
  
   acts_as_list scope: -> unit { where environment_id: unit.environment_id }
  
-  attr_accessible :name, :singular, :plural, :environment
-
   validates_presence_of :singular
   validates_presence_of :plural
  
@@ -7,8 +7,6 @@ require &#39;sdbm&#39;
  
 class UploadedFile < Article
  
-  attr_accessible :uploaded_data, :title
-
   def self.type_name
     _('File')
   end
@@ -6,8 +6,6 @@ require &#39;securerandom&#39;
 # Rails generator.
 class User < ActiveRecord::Base
  
-  attr_accessible :login, :email, :password, :password_confirmation, :activated_at
-
   N_('Password')
   N_('Password confirmation')
   N_('Terms accepted')
@@ -110,8 +108,6 @@ class User &lt; ActiveRecord::Base
   # holds the current session, see lib/authenticated_system.rb
   attr_accessor :session
  
-  attr_protected :activated_at
-
   # Virtual attribute for the unencrypted password
   attr_accessor :password, :name
  
 class ValidationInfo < ActiveRecord::Base
  
-  attr_accessible :validation_methodology, :restrictions, :organization
-
   belongs_to :organization
  
   validates_presence_of :organization
@@ -72,12 +72,6 @@ module Noosfero
     # like if you have constraints or database-specific column types
     # config.active_record.schema_format = :sql
  
-    # Enforce whitelist mode for mass assignment.
-    # This will create an empty whitelist of attributes available for mass-assignment for all models
-    # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
-    # parameters by using an attr_accessible or attr_protected declaration.
-    config.active_record.whitelist_attributes = true
-
     # Asset pipeline
     config.assets.paths =
       Dir.glob("app/assets/plugins/*/{,stylesheets,javascripts}") +
@@ -20,9 +20,6 @@ Noosfero::Application.configure do
   # Only use best-standards-support built into browsers
   config.action_dispatch.best_standards_support = :builtin
  
-  # Raise exception on mass assignment protection for Active Record models
-  config.active_record.mass_assignment_sanitizer = :strict
-
   # Do not compress assets
   config.assets.compress = false
   config.assets.digest = false
@@ -25,9 +25,6 @@ Noosfero::Application.configure do
   # ActionMailer::Base.deliveries array.
   config.action_mailer.delivery_method = :test
  
-  # Raise exception on mass assignment protection for Active Record models
-  config.active_record.mass_assignment_sanitizer = :strict
-
   # Print deprecation notices to the stderr
   config.active_support.deprecation = :stderr
 end
@@ -1,6 +0,0 @@
-class Delayed::Backend::ActiveRecord::Job
-  # rake db:schema:load run?
-  if self.table_exists?
-    attr_accessible *self.column_names, :payload_object
-  end
-end
@@ -31,7 +31,7 @@ Given /^the following (community|communities|enterprises?|organizations?)$/ do |
     category = row.delete("category")
     img_name = row.delete("img")
     city = row.delete("region")
-    organization = klass.create!(row, :without_protection => true)
+    organization = klass.create! row
     if owner
       organization.add_admin(Profile[owner])
     end
@@ -204,7 +204,7 @@ Given /^the following products?$/ do |table|
       qualifier = Qualifier.find_by name: data.delete("qualifier")
       data.merge!(:qualifiers => [qualifier])
     end
-    product = Product.create!(data, :without_protection => true)
+    product = Product.create! data
   end
 end
  
@@ -215,8 +215,8 @@ Given /^the following inputs?$/ do |table|
     category = Category.find_by slug: data.delete("category").to_slug
     unit = Unit.find_by singular: data.delete("unit")
     solidary = data.delete("solidary")
-    input = Input.create!(data.merge(:product => product, :product_category => category, :unit => unit,
-                                     :is_from_solidarity_economy => solidary), :without_protection => true)
+    input = Input.create! data.merge(product: product, product_category: category, unit: unit,
+                                     is_from_solidarity_economy: solidary)
     input.update_attribute(:position,  data['position'])
   end
 end
@@ -254,7 +254,7 @@ end
  
 Given /^the following qualifiers$/ do |table|
   table.hashes.each do |row|
-    Qualifier.create!(row.merge(:environment_id => 1), :without_protection => true)
+    Qualifier.create! row.merge(environment_id: 1)
   end
 end
  
@@ -265,7 +265,7 @@ Given /^the following certifiers$/ do |table|
     if qualifiers_list
       row["qualifiers"] = qualifiers_list.split(', ').map{|i| Qualifier.find_by name: i }
     end
-    Certifier.create!(row.merge(:environment_id => 1), :without_protection => true)
+    Certifier.create! row.merge(environment_id: 1)
   end
 end
  
@@ -505,7 +505,7 @@ end
  
 Given /^the following units?$/ do |table|
   table.hashes.each do |row|
-    Unit.create!(row.merge(:environment_id => 1), :without_protection => true)
+    Unit.create! row.merge(environment_id: 1)
   end
 end
  
 module Customizable
  
   def self.included(base)
-    base.attr_accessible :custom_values
     base.extend ClassMethods
   end
  
@@ -5,7 +5,6 @@ module ActsAsHavingImage
       belongs_to :image, dependent: :destroy
       scope :with_image, -> { where "#{table_name}.image_id IS NOT NULL" }
       scope :without_image, -> { where "#{table_name}.image_id IS NULL" }
-      attr_accessible :image_builder
       include ActsAsHavingImage
     end
   end
@@ -2,11 +2,7 @@ class AnalyticsPlugin::PageView &lt; ActiveRecord::Base
  
   serialize :data
  
-  attr_accessible *self.column_names
-  attr_accessible :user, :profile
-
   attr_accessor :request
-  attr_accessible :request
  
   acts_as_having_settings field: :options
  
 class AnalyticsPlugin::Visit < ActiveRecord::Base
  
-  attr_accessible *self.column_names
-  attr_accessible :profile
-
   belongs_to :profile
   has_many :page_views, class_name: 'AnalyticsPlugin::PageView', dependent: :destroy
  
@@ -4,8 +4,6 @@ class BreadcrumbsPlugin::ContentBreadcrumbsBlock &lt; Block
   settings_items :show_profile, :type => :boolean, :default => true
   settings_items :show_section_name, :type => :boolean, :default => true
  
-  attr_accessible :show_cms_action, :show_profile, :show_section_name
-
   def self.description
     _("<p>Display a breadcrumb of the current content navigation.</p><p>You could choose if the breadcrumb is going to appear in the cms editing or not.</p> <p>There is either the option of display the profile location in the breadcrumb path.</p>")
   end
@@ -5,8 +5,6 @@ class CommentClassificationPlugin::CommentLabelUser &lt; ActiveRecord::Base
   belongs_to :comment
   belongs_to :label, :class_name => 'CommentClassificationPlugin::Label'
  
-  attr_accessible :profile, :comment, :label
-
   validates_presence_of :profile
   validates_presence_of :comment
   validates_presence_of :label
@@ -5,8 +5,6 @@ class CommentClassificationPlugin::CommentStatusUser &lt; ActiveRecord::Base
   belongs_to :comment
   belongs_to :status, :class_name => 'CommentClassificationPlugin::Status'
  
-  attr_accessible :name, :enabled, :profile, :comment, :status_id, :reason
-
   validates_presence_of :profile
   validates_presence_of :comment
   validates_presence_of :status
@@ -6,8 +6,6 @@ class CommentClassificationPlugin::Label &lt; ActiveRecord::Base
  
   scope :enabled, -> { where enabled: true }
  
-  attr_accessible :name, :enabled, :color
-
   COLORS = ['red', 'green', 'yellow', 'gray', 'blue']
  
 end
@@ -2,8 +2,6 @@ class CommentClassificationPlugin::Status &lt; ActiveRecord::Base
  
   belongs_to :owner, :polymorphic => true
  
-  attr_accessible :name, :enabled
-
   validates_presence_of :name
  
   scope :enabled, -> { where enabled: true }
@@ -6,6 +6,4 @@ class Comment
  
   scope :in_group, -> group_id { where 'group_id = ?', group_id }
  
-  attr_accessible :group_id
-
 end
@@ -11,8 +11,6 @@ class Comment
     where 'paragraph_uuid = ?', paragraph_uuid
   }
  
-  attr_accessible :paragraph_uuid, :comment_paragraph_selected_area, :id, :comment_paragraph_selected_content
-
   before_validation do |comment|
     comment.comment_paragraph_selected_area = nil if comment.comment_paragraph_selected_area.blank?
     comment.comment_paragraph_selected_content = nil if comment_paragraph_selected_content.blank?
@@ -3,8 +3,6 @@ class CommunityTrackPlugin::Step &lt; Folder
   settings_items :hidden, :type => :boolean, :default => false
   settings_items :tool_type, :type => String
  
-  attr_accessible :start_date, :end_date, :tool_type, :hidden
-
   alias :tools :children
  
   acts_as_list scope: -> step { where parent_id: step.parent_id }
@@ -5,8 +5,6 @@ class CommunityTrackPlugin::Track &lt; Folder
  
   validate :validate_categories
  
-  attr_accessible :goals, :expected_results
-
   def comments_count
     @comments_count = sum_children_comments self unless @comments_count
     @comments_count
@@ -7,8 +7,6 @@ class ContextContentPlugin::ContextContentBlock &lt; Block
   settings_items :types, :type => Array, :default => ['UploadedFile']
   settings_items :limit, :type => :integer, :default => 6
  
-  attr_accessible :show_image, :show_name, :use_parent_title, :show_parent_content, :types
-
   alias :profile :owner
  
   include Noosfero::Plugin::HotSpot
@@ -5,6 +5,5 @@ class CustomFormsPlugin::Alternative &lt; ActiveRecord::Base
  
   belongs_to :field, :class_name => 'CustomFormsPlugin::Field'
  
-  attr_accessible :label, :field, :position, :selected_by_default
 end
  
@@ -6,8 +6,6 @@ class CustomFormsPlugin::Answer &lt; ActiveRecord::Base
   validates_presence_of :field
   validate :value_mandatory, :if => 'field.present?'
  
-  attr_accessible :field, :value, :submission
-
   def value_mandatory
     if field.mandatory && value.blank?
       errors.add(:value, _("is mandatory.").fix_i18n)
@@ -4,8 +4,6 @@ class CustomFormsPlugin::Field &lt; ActiveRecord::Base
   validates_presence_of :name
   validates_length_of :default_value, :maximum => 255
  
-  attr_accessible :name, :form, :mandatory, :type, :position, :default_value, :show_as, :alternatives_attributes
-
   belongs_to :form, :class_name => 'CustomFormsPlugin::Form'
   has_many :answers, :class_name => 'CustomFormsPlugin::Answer', :dependent => :destroy
  
@@ -14,8 +14,6 @@ class CustomFormsPlugin::Form &lt; ActiveRecord::Base
   validate :period_range, :if => Proc.new { |f| f.begining.present? && f.ending.present? }
   validate :access_format
  
-  attr_accessible :name, :profile, :for_admission, :access, :begining, :ending, :description, :fields_attributes, :profile_id, :on_membership
-
   before_validation do |form|
     form.slug = form.name.to_slug if form.name.present?
     form.access = nil if form.access.blank?
@@ -6,8 +6,6 @@ class CustomFormsPlugin::Submission &lt; ActiveRecord::Base
   # validation is done manually, see below
   has_many :answers, :class_name => 'CustomFormsPlugin::Answer', :dependent => :destroy, :validate => false
  
-  attr_accessible :form, :profile, :author_name, :author_email
-
   validates_presence_of :form
   validates_presence_of :author_name, :author_email, :if => lambda {|submission| submission.profile.nil?}
   validates_uniqueness_of :author_email, :scope => :form_id, :allow_nil => true
@@ -7,9 +7,6 @@ class DeliveryPlugin::Method &lt; ActiveRecord::Base
     address address_line2 address_reference district city state country_name zip_code
   ].map(&:to_sym)
  
-  attr_accessible :profile, :delivery_type, :name, :description,
-    :fixed_cost, :free_over_price, :distribution_margin_percentage, :distribution_margin_fixed
-
   belongs_to :profile
  
   has_many :delivery_options, class_name: 'DeliveryPlugin::Option', foreign_key: :delivery_method_id, dependent: :destroy
@@ -6,6 +6,4 @@ class DeliveryPlugin::Option &lt; ActiveRecord::Base
   validates_presence_of :delivery_method
   validates_presence_of :owner
  
-  attr_accessible :owner_id, :owner_type, :delivery_methods, :delivery_method
-
 end
@@ -29,8 +29,6 @@ class DisplayContentBlock &lt; Block
   settings_items :content_with_translations, :type => :boolean, :default => :true
   settings_items :limit_to_show, :type => :integer, :default => 6
  
-  attr_accessible :sections, :checked_nodes, :display_folder_children, :types, :order_by_recent, :limit_to_show, :content_with_translations
-
   def self.description
     _('Display your contents')
   end
...	...	@@ -49,7 +49,6 @@ gem 'sass-rails'
49	49	gem 'sprockets-rails', '~> 2.1'
50	50
51	51	# gems to enable rails3 behaviour
52		-gem 'protected_attributes'
53	52	gem 'rails-observers', github: 'rails/rails-observers'
54	53	gem 'actionpack-page_caching'
55	54	gem 'actionpack-action_caching'
...	...
...	...	@@ -207,14 +207,11 @@ class CmsController < MyProfileController
207	207	params[:uploaded_files].each do \|file\|
208	208	unless file == ''
209	209	@uploaded_files << UploadedFile.create(
210		- {
211		- :uploaded_data => file,
212		- :profile => profile,
213		- :parent => @parent,
214		- :last_changed_by => user,
215		- :author => user,
216		- },
217		- :without_protection => true
	210	+ uploaded_data: file,
	211	+ profile: profile,
	212	+ parent: @parent,
	213	+ last_changed_by: user,
	214	+ author: user,
218	215	)
219	216	end
220	217	end
...	...
...	...	@@ -86,7 +86,7 @@ class ManageProductsController < ApplicationController
86	86	@edit = true
87	87	@level = @category.level
88	88	if request.post?
89		- if @product.update({:product_category_id => params[:selected_category_id]}, :without_protection => true)
	89	+ if @product.update product_category_id: params[:selected_category_id]
90	90	render :partial => 'shared/redirect_via_javascript',
91	91	:locals => { :url => url_for(:controller => 'manage_products', :action => 'show', :id => @product) }
92	92	else
...	...
...	...	@@ -12,7 +12,7 @@ class ProfileRolesController < MyProfileController
12	12	end
13	13
14	14	def create
15		- @role = Role.new({:name => params[:role][:name], :permissions => params[:role][:permissions], :environment => environment }, :without_protection => true)
	15	+ @role = Role.new name: params[:role][:name], permissions: params[:role][:permissions], environment: environment
16	16	if @role.save
17	17	profile.custom_roles << @role
18	18	redirect_to :action => 'show', :id => @role
...	...
...	...	@@ -4,8 +4,6 @@ class Mailing < ActiveRecord::Base
4	4
5	5	acts_as_having_settings :field => :data
6	6
7		- attr_accessible :subject, :body, :data
8		-
9	7	validates_presence_of :source_id, :subject, :body
10	8	belongs_to :source, :foreign_key => :source_id, :polymorphic => true
11	9	belongs_to :person
...	...
1	1	class AbuseReport < ActiveRecord::Base
2	2
3		- attr_accessible :content, :reason
4		-
5	3	belongs_to :reporter, :class_name => 'Person'
6	4	belongs_to :abuse_complaint
7	5	has_many :reported_images, :dependent => :destroy
...	...
...	...	@@ -8,8 +8,6 @@ class ActionTrackerNotification < ActiveRecord::Base
8	8	validates_presence_of :profile_id, :action_tracker_id
9	9	validates_uniqueness_of :action_tracker_id, :scope => :profile_id
10	10
11		- attr_accessible :profile_id, :action_tracker_id
12		-
13	11	end
14	12
15	13	ActionTracker::Record.has_many :action_tracker_notifications, :class_name => 'ActionTrackerNotification', :foreign_key => 'action_tracker_id', :dependent => :destroy
...	...
...	...	@@ -8,7 +8,7 @@ class ApproveComment < Task
8	8	def comment
9	9	unless @comment \|\| self.comment_attributes.nil?
10	10	@comment = Comment.new
11		- @comment.assign_attributes(ActiveSupport::JSON.decode(self.comment_attributes.to_s), :without_protection => true)
	11	+ @comment.assign_attributes ActiveSupport::JSON.decode(self.comment_attributes.to_s)
12	12	end
13	13	@comment
14	14	end
...	...
1	1
2	2	class Article < ActiveRecord::Base
3	3
4		- attr_accessible :name, :body, :abstract, :profile, :tag_list, :parent,
5		- :allow_members_to_edit, :translation_of_id, :language,
6		- :license_id, :parent_id, :display_posts_in_current_language,
7		- :category_ids, :posts_per_page, :moderate_comments,
8		- :accept_comments, :feed, :published, :source, :source_name,
9		- :highlighted, :notify_comments, :display_hits, :slug,
10		- :external_feed_builder, :display_versions, :external_link,
11		- :image_builder, :show_to_followers,
12		- :author, :display_preview, :published_at, :person_followers
13		-
14	4	acts_as_having_image
15	5	include Noosfero::Plugin::HotSpot
16	6
...	...
1	1	class ArticleBlock < Block
2	2
3		- attr_accessible :article_id
4		-
5	3	def self.description
6	4	_('Display one of your contents.')
7	5	end
...	...