rails5: drop unsecure and unsupported protected_attributes

Braulio Bhavamitra
1 parent b3ca57de
Showing 173 changed files with 99 additions and 530 deletions Show diff stats
Gemfile
app/controllers/my_profile/cms_controller.rb
app/controllers/my_profile/manage_products_controller.rb
app/controllers/my_profile/profile_roles_controller.rb
app/mailers/mailing.rb
app/models/abuse_report.rb
app/models/action_tracker_notification.rb
app/models/approve_comment.rb
app/models/article.rb
app/models/article_block.rb
app/models/block.rb
app/models/blog.rb
app/models/box.rb
app/models/categories_block.rb
app/models/category.rb
app/models/certifier.rb
app/models/chat_message.rb
app/models/city.rb
app/models/comment.rb
app/models/communities_block.rb
@@ -49,7 +49,6 @@ gem &#39;sass-rails&#39;
 gem 'sprockets-rails', '~> 2.1'
  
 # gems to enable rails3 behaviour
-gem 'protected_attributes'
 gem 'rails-observers', github: 'rails/rails-observers'
 gem 'actionpack-page_caching'
 gem 'actionpack-action_caching'
@@ -207,14 +207,11 @@ class CmsController &lt; MyProfileController
       params[:uploaded_files].each do |file|
         unless file == ''
           @uploaded_files << UploadedFile.create(
-            {
-              :uploaded_data => file,
-              :profile => profile,
-              :parent => @parent,
-              :last_changed_by => user,
-              :author => user,
-            },
-            :without_protection => true
+            uploaded_data:   file,
+            profile:         profile,
+            parent:          @parent,
+            last_changed_by: user,
+            author:          user,
           )
         end
       end
@@ -86,7 +86,7 @@ class ManageProductsController &lt; ApplicationController
     @edit = true
     @level = @category.level
     if request.post?
-      if @product.update({:product_category_id => params[:selected_category_id]}, :without_protection => true)
+      if @product.update product_category_id: params[:selected_category_id]
         render :partial => 'shared/redirect_via_javascript',
           :locals => { :url => url_for(:controller => 'manage_products', :action => 'show', :id => @product) }
       else
@@ -12,7 +12,7 @@ class ProfileRolesController &lt; MyProfileController
   end
  
   def create
-    @role = Role.new({:name => params[:role][:name], :permissions => params[:role][:permissions], :environment => environment }, :without_protection => true)
+    @role = Role.new name: params[:role][:name], permissions: params[:role][:permissions], environment: environment
     if @role.save
       profile.custom_roles << @role
       redirect_to :action => 'show', :id => @role
@@ -4,8 +4,6 @@ class Mailing &lt; ActiveRecord::Base
  
   acts_as_having_settings :field => :data
  
-  attr_accessible :subject, :body, :data
-
   validates_presence_of :source_id, :subject, :body
   belongs_to :source, :foreign_key => :source_id, :polymorphic => true
   belongs_to :person
 class AbuseReport < ActiveRecord::Base
  
-  attr_accessible :content, :reason
-
   belongs_to :reporter, :class_name => 'Person'
   belongs_to :abuse_complaint
   has_many :reported_images, :dependent => :destroy
@@ -8,8 +8,6 @@ class ActionTrackerNotification &lt; ActiveRecord::Base
   validates_presence_of :profile_id, :action_tracker_id
   validates_uniqueness_of :action_tracker_id, :scope => :profile_id
  
-  attr_accessible :profile_id, :action_tracker_id
-
 end
  
 ActionTracker::Record.has_many :action_tracker_notifications, :class_name => 'ActionTrackerNotification', :foreign_key => 'action_tracker_id', :dependent => :destroy
@@ -8,7 +8,7 @@ class ApproveComment &lt; Task
   def comment
     unless @comment || self.comment_attributes.nil?
       @comment = Comment.new
-      @comment.assign_attributes(ActiveSupport::JSON.decode(self.comment_attributes.to_s), :without_protection => true)
+      @comment.assign_attributes ActiveSupport::JSON.decode(self.comment_attributes.to_s)
     end
     @comment
   end
  
 class Article < ActiveRecord::Base
  
-  attr_accessible :name, :body, :abstract, :profile, :tag_list, :parent,
-                  :allow_members_to_edit, :translation_of_id, :language,
-                  :license_id, :parent_id, :display_posts_in_current_language,
-                  :category_ids, :posts_per_page, :moderate_comments,
-                  :accept_comments, :feed, :published, :source, :source_name,
-                  :highlighted, :notify_comments, :display_hits, :slug,
-                  :external_feed_builder, :display_versions, :external_link,
-                  :image_builder, :show_to_followers,
-                  :author, :display_preview, :published_at, :person_followers
-
   acts_as_having_image
   include Noosfero::Plugin::HotSpot
  
 class ArticleBlock < Block
  
-  attr_accessible :article_id
-
   def self.description
     _('Display one of your contents.')
   end
 class Block < ActiveRecord::Base
  
-  attr_accessible :title, :subtitle, :display, :limit, :box_id, :posts_per_page,
-                  :visualization_format, :language, :display_user,
-                  :box, :edit_modes, :move_modes, :mirror
-
   include ActionView::Helpers::TagHelper
  
   # Block-specific stuff
 class Blog < Folder
  
-  attr_accessible :visualization_format
-
   acts_as_having_posts
   include PostsLimit
  
@@ -55,7 +53,7 @@ class Blog &lt; Folder
       if self.external_feed(true) && self.external_feed.id == self.external_feed_data[:id].to_i
         self.external_feed.attributes = self.external_feed_data.except(:id)
       else
-        self.build_external_feed(self.external_feed_data, :without_protection => true)
+        self.build_external_feed self.external_feed_data
       end
       self.external_feed.valid?
       self.external_feed.errors.delete(:blog_id) # dont validate here relation: external_feed <-> blog
@@ -5,8 +5,6 @@ class Box &lt; ActiveRecord::Base
   belongs_to :owner, :polymorphic => true
   has_many :blocks, -> { order 'position' }, dependent: :destroy
  
-  attr_accessible :owner
-
   include Noosfero::Plugin::HotSpot
  
   scope :with_position, -> { where 'boxes.position > 0' }
@@ -8,8 +8,6 @@ class CategoriesBlock &lt; Block
  
   settings_items :category_types, :type => Array, :default => []
  
-  attr_accessible :category_types
-
   def self.description
     _("Categories Menu")
   end
 class Category < ActiveRecord::Base
  
-  attr_accessible :name, :parent_id, :display_color, :display_in_menu, :image_builder, :environment, :parent
-
   SEARCHABLE_FIELDS = {
     :name => {:label => _('Name'), :weight => 10},
     :acronym => {:label => _('Acronym'), :weight => 5},
 class Certifier < ActiveRecord::Base
  
-  attr_accessible :name, :environment
-
   SEARCHABLE_FIELDS = {
     :name => {:label => _('Name'), :weight => 10},
     :description => {:label => _('Description'), :weight => 3},
 class ChatMessage < ActiveRecord::Base
-  attr_accessible :body, :from, :to
  
   belongs_to :to, :class_name => 'Profile'
   belongs_to :from, :class_name => 'Profile'
  
   validates_presence_of :from, :to
+
 end
 class City < Region
-  attr_accessible :name, :parent_id
+
 end
@@ -6,8 +6,6 @@ class Comment &lt; ActiveRecord::Base
     :body => {:label => _('Content'), :weight => 2},
   }
  
-  attr_accessible :body, :author, :name, :email, :title, :reply_of_id, :source, :follow_article
-
   validates_presence_of :body
  
   belongs_to :source, :counter_cache => true, :polymorphic => true
 class CommunitiesBlock < ProfileListBlock
  
-  attr_accessible :accessor_id, :accessor_type, :role_id, :resource_id, :resource_type
-
   def self.description
     _("<p>Display all of your communities.</p><p>You could choose the amount of communities will be displayed and you could priorize that profiles with images.</p> <p>The view all button is always present in the block.</p>")
   end
 class Community < Organization
  
-  attr_accessible :accessor_id, :accessor_type, :role_id, :resource_id, :resource_type
-  attr_accessible :address_reference, :district, :tag_list, :language, :description
   after_destroy :check_invite_member_for_destroy
  
   def self.type_name
@@ -9,15 +9,11 @@ class CreateCommunity &lt; Task
   alias :environment :target
   alias :environment= :target=
  
-  attr_accessible :environment, :requestor, :target
-  attr_accessible :reject_explanation, :template_id
-
   acts_as_having_image
  
   DATA_FIELDS = Community.fields + ['name', 'closed', 'description']
   DATA_FIELDS.each do |field|
     settings_items field.to_sym
-    attr_accessible field.to_sym
   end
  
   settings_items :custom_values
 class CustomField < ActiveRecord::Base
-  attr_accessible :name, :default_value, :format, :extras, :customized_type, :active, :required, :signup, :environment, :moderation_task
+
   serialize :customized_type
   serialize :extras
   has_many :custom_field_values, :dependent => :delete_all
 class CustomFieldValue < ActiveRecord::Base
+
   belongs_to :custom_field
   belongs_to :customized, :polymorphic => true
-  attr_accessible :value, :public, :customized, :custom_field, :customized_type
+
   validate :can_save?
  
   def can_save?
@@ -2,8 +2,6 @@ require &#39;noosfero/multi_tenancy&#39;
  
 class Domain < ActiveRecord::Base
  
-  attr_accessible :name, :owner, :is_default
-
   # relationships
   ###############
  
@@ -2,8 +2,6 @@
 # only enterprises can offer products and services.
 class Enterprise < Organization
  
-  attr_accessible :business_name, :address_reference, :district, :tag_list, :organization_website, :historic_and_current_context, :activities_short_description, :products_per_catalog_page
-
   SEARCH_FILTERS = {
     :order => %w[more_recent more_popular more_active],
     :display => %w[compact full map]
@@ -3,18 +3,6 @@
 # domains.
 class Environment < ActiveRecord::Base
  
-  attr_accessible :name, :is_default, :signup_welcome_text_subject,
-                  :signup_welcome_text_body, :terms_of_use,
-                  :message_for_disabled_enterprise, :news_amount_by_folder,
-                  :default_language, :languages, :description,
-                  :organization_approval_method, :enabled_plugins,
-                  :enabled_features, :redirection_after_login,
-                  :redirection_after_signup, :contact_email, :theme,
-                  :reports_lower_bound, :noreply_email,
-                  :signup_welcome_screen_body, :members_whitelist_enabled,
-                  :members_whitelist, :highlighted_news_amount,
-                  :portal_news_amount, :date_format, :signup_intro
-
   has_many :users
  
   # allow roles use
@@ -3,8 +3,6 @@ require &#39;builder&#39;
  
 class Event < Article
  
-  attr_accessible :start_date, :end_date, :link, :address
-
   def self.type_name
     _('Event')
   end
@@ -10,8 +10,6 @@ class ExternalFeed &lt; ActiveRecord::Base
     where '(fetched_at is NULL) OR (fetched_at < ?)', Time.now - FeedUpdater.update_interval
   }
  
-  attr_accessible :address, :enabled, :only_once
-
   def add_item(title, link, date, content)
     return if content.blank?
     doc = Nokogiri::HTML.fragment content
 class FavoriteEnterprisePerson < ActiveRecord::Base
  
-  attr_accessible :person, :enterprise
-
   track_actions :favorite_enterprise, :after_create, keep_params: [:enterprise_name, :enterprise_url], if: proc{ |f| f.is_trackable? }
  
   belongs_to :enterprise
 class FeaturedProductsBlock < Block
  
-  attr_accessible :product_ids, :groups_of, :speed, :reflect
-
   settings_items :product_ids, :type => Array, :default => []
   settings_items :groups_of, :type => :integer, :default => 3
   settings_items :speed, :type => :integer, :default => 1000
 class FeedReaderBlock < Block
  
-  attr_accessible :address, :update_errors
-
   def initialize(attributes = nil, options = {})
     data = attributes || {}
     super(data)
@@ -3,8 +3,6 @@ class Forum &lt; Folder
   acts_as_having_posts -> { reorder 'updated_at DESC' }
   include PostsLimit
  
-  attr_accessible :has_terms_of_use, :terms_of_use, :topic_creation
-
   settings_items :terms_of_use, :type => :string, :default => ""
   settings_items :has_terms_of_use, :type => :boolean, :default => false
   settings_items :topic_creation, :type => :string, :default => 'self'
 class HighlightsBlock < Block
  
-  attr_accessible :images, :interval, :shuffle, :navigation
-
   settings_items :images, :type => Array, :default => []
   settings_items :interval, :type => 'integer', :default => 4
   settings_items :shuffle, :type => 'boolean', :default => false
 class Image < ActiveRecord::Base
  
-  attr_accessible :uploaded_data, :label, :remove_image
   attr_accessor :remove_image
  
   def self.max_size
 class Input < ActiveRecord::Base
  
-  attr_accessible :product, :product_id, :product_category, :product_category_id,
-    :amount_used, :unit_id, :price_per_unit, :relevant_to_price, :is_from_solidarity_economy
-
   belongs_to :product
   belongs_to :product_category
  
 class License < ActiveRecord::Base
  
-  attr_accessible :name, :url
-
   SEARCHABLE_FIELDS = {
     :name => {:label => _('Name'), :weight => 10},
     :url => {:label => _('URL'), :weight => 5},
@@ -14,8 +12,6 @@ class License &lt; ActiveRecord::Base
   validates_presence_of :slug, :if => lambda {|license| license.name.present?}
   validates_uniqueness_of :slug, :scope => :environment_id
  
-  attr_accessible :environment, :slug
-
   before_validation do |license|
     license.slug ||= license.name.to_slug if license.name.present?
   end
 class LinkArticle < Article
  
-  attr_accessible :reference_article
-
   def self.short_description
     "Article link"
   end
 class LinkListBlock < Block
  
-  attr_accessible :links
-
   ICONS = [
     ['no-icon', _('(No icon)')],
     ['edit', N_('Edit')],
 class LocationBlock < Block
  
-  attr_accessible :zoom, :map_type
-
   settings_items :zoom, :type => :integer, :default => 4
   settings_items :map_type, :type => :string, :default => 'roadmap'
  
 class MailingSent < ActiveRecord::Base
-  attr_accessible :person
+
   belongs_to :mailing
   belongs_to :person
+
 end
 class MyNetworkBlock < Block
  
-  attr_accessible :display, :box
-
   def self.description
     _('My network')
   end
 # Represents any organization of the system
 class Organization < Profile
  
-  attr_accessible :moderated_articles, :foundation_year, :contact_person, :acronym, :legal_form, :economic_activity, :management_information, :cnpj, :display_name, :enable_contact_us
-
   SEARCH_FILTERS = {
     :order => %w[more_recent more_popular more_active],
     :display => %w[compact]
 # A person is the profile of an user holding all relationships with the rest of the system
 class Person < Profile
  
-  attr_accessible :organization, :contact_information, :sex, :birth_date, :cell_phone, :comercial_phone, :jabber_id, :personal_website, :nationality, :address_reference, :district, :schooling, :schooling_status, :formation, :custom_formation, :area_of_study, :custom_area_of_study, :professional_activity, :organization_website, :following_articles
-
   SEARCH_FILTERS = {
     :order => %w[more_recent more_popular more_active],
     :display => %w[compact]
   }
  
-
   def self.type_name
     _('Person')
   end
 class PriceDetail < ActiveRecord::Base
  
-  attr_accessible :price, :production_cost_id
-
   belongs_to :product
   validates_presence_of :product_id
  
@@ -10,9 +10,6 @@ class Product &lt; ActiveRecord::Base
     :display => %w[full map]
   }
  
-  attr_accessible :name, :product_category, :profile, :profile_id, :enterprise,
-    :highlighted, :price, :image_builder, :description, :available, :qualifiers, :unit_id, :discount, :inputs, :qualifiers_list
-
   def self.default_search_display
     'full'
   end
@@ -3,8 +3,6 @@ class ProductCategory &lt; Category
   has_many :products
   has_many :inputs
  
-  attr_accessible :name, :parent, :environment
-
   scope :unique, -> { select 'DISTINCT ON (path) categories.*' }
   scope :by_enterprise, -> enterprise {
     distinct.joins(:products).
 class ProductQualifier < ActiveRecord::Base
  
-  attr_accessible :qualifier, :product, :certifier
-
   belongs_to :qualifier
   belongs_to :product
   belongs_to :certifier
+
 end
 class ProductionCost < ActiveRecord::Base
  
-  attr_accessible :name, :owner
-
   belongs_to :owner, :polymorphic => true
+
   validates_presence_of :owner
   validates_presence_of :name
   validates_length_of :name, :maximum => 30, :allow_blank => true
 class ProductsBlock < Block
  
-  attr_accessible :product_ids
-
   include ActionView::Helpers::TagHelper
   include ActionView::Helpers::UrlHelper
   include ActionView::Helpers
@@ -3,10 +3,6 @@
 # which by default is the one returned by Environment:default.
 class Profile < ActiveRecord::Base
  
-  attr_accessible :name, :identifier, :public_profile, :nickname, :custom_footer, :custom_header, :address, :zip_code, :contact_phone, :image_builder, :description, :closed, :template_id, :environment, :lat, :lng, :is_template, :fields_privacy, :preferred_domain_id, :category_ids, :country, :city, :state, :national_region_code, :email, :contact_email, :redirect_l10n, :notification_time,
-    :redirection_after_login, :custom_url_redirection,
-    :email_suggestions, :allow_members_to_invite, :invite_friends_only, :secret, :profile_admin_mail_notification
-
   # use for internationalizable human type names in search facets
   # reimplement on subclasses
   def self.type_name
@@ -2,9 +2,6 @@ class ProfileActivity &lt; ActiveRecord::Base
  
   self.record_timestamps = false
  
-  attr_accessible :profile_id,
-    :profile, :activity
-
   belongs_to :profile
   belongs_to :activity, polymorphic: true
  
 class ProfileImageBlock < Block
  
-  attr_accessible :show_name
-
   settings_items :show_name, :type => :boolean, :default => false
  
   def self.description
 class ProfileListBlock < Block
  
-  attr_accessible :prioritize_profiles_with_image
-
   settings_items :limit, :type => :integer, :default => 6
   settings_items :prioritize_profiles_with_image, :type => :boolean, :default => true
  
 class ProfileSuggestion < ActiveRecord::Base
+
   belongs_to :person
   belongs_to :suggestion, :class_name => 'Profile', :foreign_key => :suggestion_id
  
-  attr_accessible :person, :suggestion, :suggestion_type, :categories, :enabled
-
   has_many :suggestion_connections, :foreign_key => 'suggestion_id'
   has_many :profile_connections, :through => :suggestion_connections, :source => :connection, :source_type => 'Profile'
   has_many :tag_connections, :through => :suggestion_connections, :source => :connection, :source_type => 'ActsAsTaggableOn::Tag'
@@ -67,7 +66,6 @@ class ProfileSuggestion &lt; ActiveRecord::Base
  
   RULES.keys.each do |rule|
     settings_items rule
-    attr_accessible rule
   end
  
   # Number of suggestions by rule
 class Qualifier < ActiveRecord::Base
  
-  attr_accessible :name, :environment
-
   SEARCHABLE_FIELDS = {
     :name => {:label => _('Name'), :weight => 1},
   }
@@ -10,8 +10,6 @@ class RawHTMLBlock &lt; Block
  
   settings_items :html, :type => :text
  
-  attr_accessible :html
-
   def has_macro?
     true
   end
 # Region is a special type of category that is related to geographical issues.
 class Region < Category
  
-  attr_accessible :name
-
   has_and_belongs_to_many :validators, :class_name => 'Organization', :join_table => :region_validators
  
   require_dependency 'enterprise' # enterprises can also be validators
 class RssFeed < Article
  
-  attr_accessible :limit, :enabled, :language, :include, :feed_item_description
-
   def self.type_name
     _('RssFeed')
   end
 class Scrap < ActiveRecord::Base
  
-  attr_accessible :content, :sender_id, :receiver_id, :scrap_id
-
   SEARCHABLE_FIELDS = {
     :content => {:label => _('Content'), :weight => 1},
   }
@@ -5,8 +5,6 @@ class SearchTerm &lt; ActiveRecord::Base
   belongs_to :context, :polymorphic => true
   has_many :occurrences, :class_name => 'SearchTermOccurrence'
  
-  attr_accessible :term, :context, :asset
-
   def self.calculate_scores
     os = occurrences_scores
     find_each { |search_term| search_term.calculate_score(os) }
@@ -2,7 +2,6 @@ class SearchTermOccurrence &lt; ActiveRecord::Base
  
   belongs_to :search_term
   validates_presence_of :search_term
-  attr_accessible :search_term, :created_at, :total, :indexed
  
   EXPIRATION_TIME = 1.year
  
 class SellersSearchBlock < Block
  
-  attr_accessible :title
-
   def self.description
     _('Search for enterprises and products')
   end
@@ -6,8 +6,6 @@ class SlideshowBlock &lt; Block
   settings_items :navigation, :type => 'boolean', :default => false
   settings_items :image_size, :type => 'string', :default => 'thumb'
  
-  attr_accessible :gallery_id, :image_size, :interval, :shuffle, :navigation
-
   def self.description
     _('Slideshow')
   end
 class State < Region
-  attr_accessible :name, :acronym, :environment
+
 end
 class SuggestionConnection < ActiveRecord::Base
-  attr_accessible :suggestion, :suggestion_id, :connection_type, :connection_id
  
   belongs_to :suggestion, :class_name => 'ProfileSuggestion', :foreign_key => 'suggestion_id'
   belongs_to :connection, :polymorphic => true
+
 end
 Tag = ActsAsTaggableOn::Tag
 class Tag
  
-  attr_accessible :name, :parent_id, :pending
-
   has_many :children, class_name: 'Tag', foreign_key: 'parent_id', dependent: :destroy
  
   @@original_find = self.method(:find)
@@ -41,8 +41,6 @@ class Task &lt; ActiveRecord::Base
   validates_uniqueness_of :code, :on => :create
   validates_presence_of :code
  
-  attr_protected :status
-
   settings_items :email_template_id, :type => :integer
  
   def initialize(*args)
 class Thumbnail < ActiveRecord::Base
  
-  attr_accessible :uploaded_data
-  # mass assigned by attachment_fu
-  attr_accessible :content_type, :filename, :thumbnail_resize_options, :thumbnail, :parent_id
-
   has_attachment :storage => :file_system,
     :content_type => :image, :max_size => UploadedFile.max_size, processor: 'Rmagick'
   validates_as_attachment
@@ -2,8 +2,6 @@ class Unit &lt; ActiveRecord::Base
  
   acts_as_list scope: -> unit { where environment_id: unit.environment_id }
  
-  attr_accessible :name, :singular, :plural, :environment
-
   validates_presence_of :singular
   validates_presence_of :plural
  
@@ -7,8 +7,6 @@ require &#39;sdbm&#39;
  
 class UploadedFile < Article
  
-  attr_accessible :uploaded_data, :title
-
   def self.type_name
     _('File')
   end
@@ -6,8 +6,6 @@ require &#39;securerandom&#39;
 # Rails generator.
 class User < ActiveRecord::Base
  
-  attr_accessible :login, :email, :password, :password_confirmation, :activated_at
-
   N_('Password')
   N_('Password confirmation')
   N_('Terms accepted')
@@ -110,8 +108,6 @@ class User &lt; ActiveRecord::Base
   # holds the current session, see lib/authenticated_system.rb
   attr_accessor :session
  
-  attr_protected :activated_at
-
   # Virtual attribute for the unencrypted password
   attr_accessor :password, :name
  
 class ValidationInfo < ActiveRecord::Base
  
-  attr_accessible :validation_methodology, :restrictions, :organization
-
   belongs_to :organization
  
   validates_presence_of :organization
@@ -72,12 +72,6 @@ module Noosfero
     # like if you have constraints or database-specific column types
     # config.active_record.schema_format = :sql
  
-    # Enforce whitelist mode for mass assignment.
-    # This will create an empty whitelist of attributes available for mass-assignment for all models
-    # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
-    # parameters by using an attr_accessible or attr_protected declaration.
-    config.active_record.whitelist_attributes = true
-
     # Asset pipeline
     config.assets.paths =
       Dir.glob("app/assets/plugins/*/{,stylesheets,javascripts}") +
@@ -20,9 +20,6 @@ Noosfero::Application.configure do
   # Only use best-standards-support built into browsers
   config.action_dispatch.best_standards_support = :builtin
  
-  # Raise exception on mass assignment protection for Active Record models
-  config.active_record.mass_assignment_sanitizer = :strict
-
   # Do not compress assets
   config.assets.compress = false
   config.assets.digest = false
@@ -25,9 +25,6 @@ Noosfero::Application.configure do
   # ActionMailer::Base.deliveries array.
   config.action_mailer.delivery_method = :test
  
-  # Raise exception on mass assignment protection for Active Record models
-  config.active_record.mass_assignment_sanitizer = :strict
-
   # Print deprecation notices to the stderr
   config.active_support.deprecation = :stderr
 end
@@ -1,6 +0,0 @@
-class Delayed::Backend::ActiveRecord::Job
-  # rake db:schema:load run?
-  if self.table_exists?
-    attr_accessible *self.column_names, :payload_object
-  end
-end
@@ -31,7 +31,7 @@ Given /^the following (community|communities|enterprises?|organizations?)$/ do |
     category = row.delete("category")
     img_name = row.delete("img")
     city = row.delete("region")
-    organization = klass.create!(row, :without_protection => true)
+    organization = klass.create! row
     if owner
       organization.add_admin(Profile[owner])
     end
@@ -204,7 +204,7 @@ Given /^the following products?$/ do |table|
       qualifier = Qualifier.find_by name: data.delete("qualifier")
       data.merge!(:qualifiers => [qualifier])
     end
-    product = Product.create!(data, :without_protection => true)
+    product = Product.create! data
   end
 end
  
@@ -215,8 +215,8 @@ Given /^the following inputs?$/ do |table|
     category = Category.find_by slug: data.delete("category").to_slug
     unit = Unit.find_by singular: data.delete("unit")
     solidary = data.delete("solidary")
-    input = Input.create!(data.merge(:product => product, :product_category => category, :unit => unit,
-                                     :is_from_solidarity_economy => solidary), :without_protection => true)
+    input = Input.create! data.merge(product: product, product_category: category, unit: unit,
+                                     is_from_solidarity_economy: solidary)
     input.update_attribute(:position,  data['position'])
   end
 end
@@ -254,7 +254,7 @@ end
  
 Given /^the following qualifiers$/ do |table|
   table.hashes.each do |row|
-    Qualifier.create!(row.merge(:environment_id => 1), :without_protection => true)
+    Qualifier.create! row.merge(environment_id: 1)
   end
 end
  
@@ -265,7 +265,7 @@ Given /^the following certifiers$/ do |table|
     if qualifiers_list
       row["qualifiers"] = qualifiers_list.split(', ').map{|i| Qualifier.find_by name: i }
     end
-    Certifier.create!(row.merge(:environment_id => 1), :without_protection => true)
+    Certifier.create! row.merge(environment_id: 1)
   end
 end
  
@@ -505,7 +505,7 @@ end
  
 Given /^the following units?$/ do |table|
   table.hashes.each do |row|
-    Unit.create!(row.merge(:environment_id => 1), :without_protection => true)
+    Unit.create! row.merge(environment_id: 1)
   end
 end
  
 module Customizable
  
   def self.included(base)
-    base.attr_accessible :custom_values
     base.extend ClassMethods
   end
  
@@ -5,7 +5,6 @@ module ActsAsHavingImage
       belongs_to :image, dependent: :destroy
       scope :with_image, -> { where "#{table_name}.image_id IS NOT NULL" }
       scope :without_image, -> { where "#{table_name}.image_id IS NULL" }
-      attr_accessible :image_builder
       include ActsAsHavingImage
     end
   end
@@ -2,11 +2,7 @@ class AnalyticsPlugin::PageView &lt; ActiveRecord::Base
  
   serialize :data
  
-  attr_accessible *self.column_names
-  attr_accessible :user, :profile
-
   attr_accessor :request
-  attr_accessible :request
  
   acts_as_having_settings field: :options
  
 class AnalyticsPlugin::Visit < ActiveRecord::Base
  
-  attr_accessible *self.column_names
-  attr_accessible :profile
-
   belongs_to :profile
   has_many :page_views, class_name: 'AnalyticsPlugin::PageView', dependent: :destroy
  
@@ -4,8 +4,6 @@ class BreadcrumbsPlugin::ContentBreadcrumbsBlock &lt; Block
   settings_items :show_profile, :type => :boolean, :default => true
   settings_items :show_section_name, :type => :boolean, :default => true
  
-  attr_accessible :show_cms_action, :show_profile, :show_section_name
-
   def self.description
     _("<p>Display a breadcrumb of the current content navigation.</p><p>You could choose if the breadcrumb is going to appear in the cms editing or not.</p> <p>There is either the option of display the profile location in the breadcrumb path.</p>")
   end
@@ -5,8 +5,6 @@ class CommentClassificationPlugin::CommentLabelUser &lt; ActiveRecord::Base
   belongs_to :comment
   belongs_to :label, :class_name => 'CommentClassificationPlugin::Label'
  
-  attr_accessible :profile, :comment, :label
-
   validates_presence_of :profile
   validates_presence_of :comment
   validates_presence_of :label
@@ -5,8 +5,6 @@ class CommentClassificationPlugin::CommentStatusUser &lt; ActiveRecord::Base
   belongs_to :comment
   belongs_to :status, :class_name => 'CommentClassificationPlugin::Status'
  
-  attr_accessible :name, :enabled, :profile, :comment, :status_id, :reason
-
   validates_presence_of :profile
   validates_presence_of :comment
   validates_presence_of :status
@@ -6,8 +6,6 @@ class CommentClassificationPlugin::Label &lt; ActiveRecord::Base
  
   scope :enabled, -> { where enabled: true }
  
-  attr_accessible :name, :enabled, :color
-
   COLORS = ['red', 'green', 'yellow', 'gray', 'blue']
  
 end
@@ -2,8 +2,6 @@ class CommentClassificationPlugin::Status &lt; ActiveRecord::Base
  
   belongs_to :owner, :polymorphic => true
  
-  attr_accessible :name, :enabled
-
   validates_presence_of :name
  
   scope :enabled, -> { where enabled: true }
@@ -6,6 +6,4 @@ class Comment
  
   scope :in_group, -> group_id { where 'group_id = ?', group_id }
  
-  attr_accessible :group_id
-
 end
@@ -11,8 +11,6 @@ class Comment
     where 'paragraph_uuid = ?', paragraph_uuid
   }
  
-  attr_accessible :paragraph_uuid, :comment_paragraph_selected_area, :id, :comment_paragraph_selected_content
-
   before_validation do |comment|
     comment.comment_paragraph_selected_area = nil if comment.comment_paragraph_selected_area.blank?
     comment.comment_paragraph_selected_content = nil if comment_paragraph_selected_content.blank?
@@ -3,8 +3,6 @@ class CommunityTrackPlugin::Step &lt; Folder
   settings_items :hidden, :type => :boolean, :default => false
   settings_items :tool_type, :type => String
  
-  attr_accessible :start_date, :end_date, :tool_type, :hidden
-
   alias :tools :children
  
   acts_as_list scope: -> step { where parent_id: step.parent_id }
@@ -5,8 +5,6 @@ class CommunityTrackPlugin::Track &lt; Folder
  
   validate :validate_categories
  
-  attr_accessible :goals, :expected_results
-
   def comments_count
     @comments_count = sum_children_comments self unless @comments_count
     @comments_count
@@ -7,8 +7,6 @@ class ContextContentPlugin::ContextContentBlock &lt; Block
   settings_items :types, :type => Array, :default => ['UploadedFile']
   settings_items :limit, :type => :integer, :default => 6
  
-  attr_accessible :show_image, :show_name, :use_parent_title, :show_parent_content, :types
-
   alias :profile :owner
  
   include Noosfero::Plugin::HotSpot
@@ -5,6 +5,5 @@ class CustomFormsPlugin::Alternative &lt; ActiveRecord::Base
  
   belongs_to :field, :class_name => 'CustomFormsPlugin::Field'
  
-  attr_accessible :label, :field, :position, :selected_by_default
 end
  
@@ -6,8 +6,6 @@ class CustomFormsPlugin::Answer &lt; ActiveRecord::Base
   validates_presence_of :field
   validate :value_mandatory, :if => 'field.present?'
  
-  attr_accessible :field, :value, :submission
-
   def value_mandatory
     if field.mandatory && value.blank?
       errors.add(:value, _("is mandatory.").fix_i18n)
@@ -4,8 +4,6 @@ class CustomFormsPlugin::Field &lt; ActiveRecord::Base
   validates_presence_of :name
   validates_length_of :default_value, :maximum => 255
  
-  attr_accessible :name, :form, :mandatory, :type, :position, :default_value, :show_as, :alternatives_attributes
-
   belongs_to :form, :class_name => 'CustomFormsPlugin::Form'
   has_many :answers, :class_name => 'CustomFormsPlugin::Answer', :dependent => :destroy
  
@@ -14,8 +14,6 @@ class CustomFormsPlugin::Form &lt; ActiveRecord::Base
   validate :period_range, :if => Proc.new { |f| f.begining.present? && f.ending.present? }
   validate :access_format
  
-  attr_accessible :name, :profile, :for_admission, :access, :begining, :ending, :description, :fields_attributes, :profile_id, :on_membership
-
   before_validation do |form|
     form.slug = form.name.to_slug if form.name.present?
     form.access = nil if form.access.blank?
@@ -6,8 +6,6 @@ class CustomFormsPlugin::Submission &lt; ActiveRecord::Base
   # validation is done manually, see below
   has_many :answers, :class_name => 'CustomFormsPlugin::Answer', :dependent => :destroy, :validate => false
  
-  attr_accessible :form, :profile, :author_name, :author_email
-
   validates_presence_of :form
   validates_presence_of :author_name, :author_email, :if => lambda {|submission| submission.profile.nil?}
   validates_uniqueness_of :author_email, :scope => :form_id, :allow_nil => true
@@ -7,9 +7,6 @@ class DeliveryPlugin::Method &lt; ActiveRecord::Base
     address address_line2 address_reference district city state country_name zip_code
   ].map(&:to_sym)
  
-  attr_accessible :profile, :delivery_type, :name, :description,
-    :fixed_cost, :free_over_price, :distribution_margin_percentage, :distribution_margin_fixed
-
   belongs_to :profile
  
   has_many :delivery_options, class_name: 'DeliveryPlugin::Option', foreign_key: :delivery_method_id, dependent: :destroy
@@ -6,6 +6,4 @@ class DeliveryPlugin::Option &lt; ActiveRecord::Base
   validates_presence_of :delivery_method
   validates_presence_of :owner
  
-  attr_accessible :owner_id, :owner_type, :delivery_methods, :delivery_method
-
 end
@@ -29,8 +29,6 @@ class DisplayContentBlock &lt; Block
   settings_items :content_with_translations, :type => :boolean, :default => :true
   settings_items :limit_to_show, :type => :integer, :default => 6
  
-  attr_accessible :sections, :checked_nodes, :display_folder_children, :types, :order_by_recent, :limit_to_show, :content_with_translations
-
   def self.description
     _('Display your contents')
   end
 class DrivenSignupPlugin::Auth < ActiveRecord::Base
  
-  attr_accessible :name, :token
-
   belongs_to :environment
  
   validates_presence_of :environment
@@ -4,7 +4,5 @@ class EnvironmentNotificationsUser &lt; ActiveRecord::Base
   belongs_to :user
   belongs_to :environment_notification, class_name: 'EnvironmentNotificationPlugin::EnvironmentNotification'
  
-  attr_accessible :user_id, :environment_notification_id
-
   validates_uniqueness_of :user_id, :scope => :environment_notification_id
 end
@@ -9,8 +9,6 @@ class EnvironmentNotificationPlugin::EnvironmentNotification &lt; ActiveRecord::Bas
     "EnvironmentNotificationPlugin::DangerNotification"
   ]
  
-  attr_accessible :message, :environment_id, :active, :type, :display_only_in_homepage, :display_to_all_users, :display_popup, :title
-
   has_many :environment_notifications_users
   has_many :users, :through => :environment_notifications_users
  
 class EventPlugin::EventBlock < Block
   include DatesHelper
  
-  attr_accessible :all_env_events, :limit, :future_only, :date_distance_limit
-
   settings_items :all_env_events, :type => :boolean, :default => false
   settings_items :limit, :type => :integer, :default => 4
   settings_items :future_only, :type => :boolean, :default => true
@@ -2,13 +2,6 @@ require_dependency &#39;profile&#39;
 # hate to wrte this, but without Noosfero::Plugin::Settings is loaded instead
 require 'fb_app_plugin/settings'
  
-# attr_accessible must be defined on subclasses
-Profile.descendants.each do |subclass|
-  subclass.class_eval do
-    attr_accessible :fb_app_settings
-  end
-end
-
 class Profile
  
   def fb_app_settings attrs = {}
@@ -9,8 +9,6 @@ class FbAppPlugin::Auth &lt; OauthClientPlugin::Auth
   settings_items :signed_request
   settings_items :fb_user
  
-  attr_accessible :provider_user_id, :signed_request
-
   before_create :update_user
   before_create :exchange_token
   after_create :schedule_exchange_token
@@ -3,10 +3,6 @@ class FbAppPlugin::PageTab &lt; ActiveRecord::Base
   # FIXME: rename table to match model
   self.table_name = :fb_app_plugin_page_tab_configs
  
-  attr_accessible :owner_profile, :profile_id, :page_id,
-    :config_type, :profile_ids, :query,
-    :title, :subtitle
-
   belongs_to :owner_profile, foreign_key: :profile_id, class_name: 'Profile'
  
   acts_as_having_settings field: :config
 class GalleryBlock < Block
  
-  attr_accessible :gallery_id, :groups_of, :speed, :interval
-
   settings_items :gallery_id, :type => :integer
   settings_items :groups_of, :type => :integer, :default => 3
   settings_items :speed, :type => :integer, :default => 1000
 require_dependency 'profile'
  
 class Profile
+
   settings_items :google_analytics_profile_id
-  attr_accessible :google_analytics_profile_id
  
-  descendants.each do |descendant|
-    descendant.attr_accessible :google_analytics_profile_id
-  end
 end
@@ -2,7 +2,6 @@ class AcademicInfo &lt; ActiveRecord::Base
  
   belongs_to :person
  
-  attr_accessible :lattes_url
   validate :lattes_url_validate?
  
   def lattes_url_validate?
@@ -2,8 +2,6 @@ require_dependency &#39;person&#39;
  
 class Person
  
-  attr_accessible :lattes_url, :academic_info_attributes
-
   has_one :academic_info
  
   after_destroy do |person|
@@ -6,8 +6,6 @@ class Environment
  
   validates_presence_of :ldap_plugin_host, :if => lambda {|env| !env.ldap_plugin.blank? }
  
-  attr_accessible :ldap_plugin_host, :ldap_plugin_port, :ldap_plugin_tls, :ldap_plugin_onthefly_register, :ldap_plugin_account, :ldap_plugin_account_password, :ldap_plugin_filter, :ldap_plugin_base_dn, :ldap_plugin_attr_mail, :ldap_plugin_attr_login, :ldap_plugin_attr_fullname, :ldap_plugin_allow_password_recovery
-
   def ldap_plugin_attributes
     self.ldap_plugin || {}
   end
@@ -9,8 +9,6 @@ class NewsletterPlugin::Newsletter &lt; ActiveRecord::Base
   validates_numericality_of :periodicity, only_integer: true, greater_than: -1, message: _('must be a positive number')
   validates_numericality_of :posts_per_blog, only_integer: true, greater_than: -1, message: _('must be a positive number')
  
-  attr_accessible :environment, :enabled, :periodicity, :subject, :posts_per_blog, :footer, :blog_ids, :additional_recipients, :person, :person_id, :moderated
-
   scope :enabled, -> { where enabled: true }
  
   # These methods are used by NewsletterMailing
 class NewsletterPlugin::NewsletterMailing < EnvironmentMailing
  
-  attr_accessible :source, :person, :locale
-
   validates_presence_of :person
  
   def url
 class OauthClientPlugin::Auth < ActiveRecord::Base
  
-  attr_accessible :profile, :provider, :enabled,
-    :access_token, :expires_in
-
   belongs_to :profile, class_name: 'Profile'
   belongs_to :provider, class_name: 'OauthClientPlugin::Provider'
  
@@ -10,10 +10,6 @@ class OauthClientPlugin::Provider &lt; ActiveRecord::Base
   settings_items :site, type: String
   settings_items :client_options, type: Hash
  
-  attr_accessible :name, :strategy, :enabled, :site, :image_builder,
-    :environment, :environment_id, :options,
-    :client_id, :client_secret, :client_options
-
   scope :enabled, -> { where enabled: true }
  
   acts_as_having_image
@@ -2,11 +2,8 @@ require_dependency &#39;profile&#39;
 # hate to wrte this, but without Noosfero::Plugin::Settings is loaded instead
 require 'open_graph_plugin/settings'
  
-# attr_accessible must be defined on subclasses
 Profile.descendants.each do |subclass|
   subclass.class_eval do
-    attr_accessible :open_graph_settings
-
     has_many :open_graph_tracks, class_name: 'OpenGraphPlugin::Track', source: :tracker_id, foreign_key: :tracker_id
  
     has_many :open_graph_activities, class_name: 'OpenGraphPlugin::Activity', source: :tracker_id, foreign_key: :tracker_id
@@ -21,9 +18,6 @@ Profile.descendants.each do |subclass|
       association = klass.association
       has_many association, class_name: klass.name, foreign_key: :tracker_id
       accepts_nested_attributes_for association, allow_destroy: true, reject_if: :open_graph_reject_empty_object_type
-
-      attr_accessible attributes
-      attr_accessible profile_ids
     end
   end
 end
@@ -3,10 +3,6 @@ class OpenGraphPlugin::Track &lt; ActiveRecord::Base
   class_attribute :context
   self.context = :open_graph
  
-  attr_accessible :type, :context, :tracker_id, :tracker, :actor_id, :action,
-    :object_type, :object_data_id, :object_data_type, :object_data_url,
-    :story, :object_data, :actor
-
   belongs_to :tracker, class_name: 'Profile'
   belongs_to :actor, class_name: 'Profile'
   belongs_to :object_data, polymorphic: true
@@ -15,7 +15,6 @@ module OrdersPlugin
         options[:dummy] = true if options[:dummy].nil?
  
         range_attr = self.date_range_attr_for start_field, end_field
-        attr_accessible range_attr
  
         define_method range_attr do
           return if options[:dummy]
 class OrdersPlugin::Item < ActiveRecord::Base
  
-  attr_accessible :order, :sale, :purchase,
-    :product, :product_id,
-    :price, :name
-
   # flag used by items to compare them with products
   attr_accessor :product_diff
  
@@ -28,9 +24,6 @@ class OrdersPlugin::Item &lt; ActiveRecord::Base
   StatusDataMap.each do |status, data|
     quantity = "quantity_#{data}".to_sym
     price = "price_#{data}".to_sym
-
-    attr_accessible quantity
-    attr_accessible price
   end
  
   serialize :data
@@ -40,9 +40,6 @@ class OrdersPlugin::Order &lt; ActiveRecord::Base
     supplier: StatusAccessMap.map{ |s, a| s if a == :supplier }.compact,
   }
  
-  attr_accessible :status, :consumer, :profile,
-    :supplier_delivery_id, :consumer_delivery_id, :supplier_delivery_data, :consumer_delivery_data
-
   belongs_to :profile
   # may be override by subclasses
   belongs_to :supplier, foreign_key: :profile_id, class_name: 'Profile'
 class OrdersCyclePlugin::Cycle < ActiveRecord::Base
  
-  attr_accessible :profile, :status, :name, :description, :opening_message
-
-  attr_accessible :start, :finish, :delivery_start, :delivery_finish
-  attr_accessible :start_date, :start_time, :finish_date, :finish_time, :delivery_start_date, :delivery_start_time, :delivery_finish_date, :delivery_finish_time,
-
   Statuses = %w[edition orders purchases receipts separation delivery closing]
   DbStatuses = %w[new] + Statuses
   UserStatuses = Statuses
@@ -72,7 +67,6 @@ class OrdersCyclePlugin::Cycle &lt; ActiveRecord::Base
  
   has_many :volunteers_periods, class_name: 'VolunteersPlugin::Period', as: :owner
   has_many :volunteers, through: :volunteers_periods, source: :profile
-  attr_accessible :volunteers_periods_attributes
   accepts_nested_attributes_for :volunteers_periods, allow_destroy: true
  
   scope :has_volunteers_periods, -> { distinct.joins :volunteers_periods }
@@ -4,8 +4,6 @@ module OrdersCyclePlugin::OrderBase
   extend ActiveSupport::Concern
   included do
  
-    attr_accessible :cycle
-
     has_many :cycle_sales, class_name: 'OrdersCyclePlugin::CycleOrder', foreign_key: :sale_id, dependent: :destroy
     has_one  :cycle_sale,  class_name: 'OrdersCyclePlugin::CycleOrder', foreign_key: :sale_id
     has_many :cycle_purchases, class_name: 'OrdersCyclePlugin::CycleOrder', foreign_key: :purchase_id, dependent: :destroy
@@ -6,9 +6,6 @@ class CreateOrganizationRatingComment &lt; Task
   settings_items :organization_rating_id, :type => Integer, :default => nil
   settings_items :organization_rating_comment_id, :type => Integer, :default => nil
  
-  attr_accessible :organization_rating_id, :body, :requestor
-  attr_accessible :reject_explanation, :target
-
   DATA_FIELDS = ['body']
   DATA_FIELDS.each do |field|
     settings_items field.to_sym
@@ -3,8 +3,6 @@ class OrganizationRating &lt; ActiveRecord::Base
   belongs_to :organization
   belongs_to :comment
  
-  attr_accessible :value, :person, :organization, :comment
-
   validates :value,
             :presence => true, :inclusion => {
               in: 1..5, message: _("must be between 1 and 5")
@@ -2,9 +2,6 @@ class OrganizationRatingsConfig &lt; ActiveRecord::Base
  
   belongs_to :environment
  
-  attr_accessible :cooldown, :default_rating, :order, :per_page
-  attr_accessible :vote_once, :are_moderated, :environment_id
-
   ORDER_OPTIONS = {recent: _('More Recent'), best: _('Best Ratings')}
  
   MINIMUM_RATING = 1
 class MembersBlock < PeopleBlockBase
+
   settings_items :show_join_leave_button, :type => :boolean, :default => false
   settings_items :visible_role, :type => :string, :default => nil
-  attr_accessible :show_join_leave_button, :visible_role
  
   def self.description
     c_('Members')
@@ -3,7 +3,6 @@ class PeopleBlockBase &lt; Block
   settings_items :limit, :type => :integer, :default => 6
   settings_items :name, :type => String, :default => ""
   settings_items :address, :type => String, :default => ""
-  attr_accessible :name, :address, :prioritize_profiles_with_image
  
   def self.description
     _('Random people')
@@ -4,5 +4,4 @@ class Environment
   settings_items :piwik_domain
   settings_items :piwik_path, :default => 'piwik'
   settings_items :piwik_site_id
-  attr_accessible :piwik_domain, :piwik_site_id, :piwik_path
 end
@@ -5,8 +5,6 @@ class ProfileMembersHeadlinesBlock &lt; Block
   settings_items :navigation, :type => 'boolean', :default => true
   settings_items :filtered_roles, :type => Array, :default => []
  
-  attr_accessible :interval, :limit, :navigation, :filtered_roles
-
   def self.description
     _('Display headlines from members of a community')
   end
@@ -5,8 +5,6 @@ class RecentContentBlock &lt; Block
   settings_items :show_blog_picture, :type => :boolean, :default => false
   settings_items :selected_folder, :type => Integer
  
-  attr_accessible :presentation_mode, :total_items, :show_blog_picture, :selected_folder
-
   VALID_CONTENT = ['RawHTMLArticle', 'TextArticle', 'TextileArticle', 'TinyMceArticle']
  
   def self.description
@@ -18,8 +18,6 @@ class RelevantContentPlugin::RelevantContentBlock &lt; Block
   settings_items :show_most_disliked,   :type => :boolean, :default => 0
   settings_items :show_most_voted,      :type => :boolean, :default => 1
  
-  attr_accessible :limit, :show_most_voted, :show_most_disliked, :show_most_liked, :show_most_commented, :show_most_read
-
   include ActionView::Helpers
   include Rails.application.routes.url_helpers
  
 require_dependency 'profile'
  
 class Profile
+
   settings_items :allow_unauthenticated_comments, :type => :boolean
-  attr_accessible :allow_unauthenticated_comments
  
-  descendants.each do |descendant|
-    descendant.attr_accessible :allow_unauthenticated_comments
-  end
 end
@@ -1,4 +0,0 @@
-Environment.class_eval do
-  attr_accessible :send_email_plugin_allow_to
-end
-
@@ -4,8 +4,6 @@ class SiteTourPlugin::TourBlock &lt; Block
   settings_items :group_triggers, :type => Array, :default => []
   settings_items :display_button, :type => :boolean, :default => true
  
-  attr_accessible :actions, :display_button, :group_triggers
-
   before_save do |block|
     block.actions.reject! {|i| i[:group_name].blank? && i[:selector].blank? && i[:description].blank?}
     block.group_triggers.reject! {|i| i[:group_name].blank? && i[:selector].blank?}
@@ -6,8 +6,6 @@ class SpaminatorPlugin::Report &lt; ActiveRecord::Base
  
   validates_presence_of :environment
  
-  attr_accessible :environment
-
   scope :from_environment, -> environment { where :environment_id => environment }
  
   after_initialize do |report|
@@ -29,10 +29,9 @@ class SpaminatorPlugin::Spaminator
   def initialize(environment)
     @environment = environment
     @settings = Noosfero::Plugin::Settings.new(@environment, SpaminatorPlugin)
-    @report = SpaminatorPlugin::Report.new({:environment => environment,
-                                           :total_people => Person.count,
-                                           :total_comments => Comment.count},
-                                           :without_protection => true)
+    @report = SpaminatorPlugin::Report.new environment: environment,
+      total_people: Person.count, total_comments: Comment.count
+
     self.class.initialize_logger(environment)
   end
  
@@ -10,8 +10,6 @@ class StatisticsBlock &lt; Block
   settings_items :hit_counter, :default => false
   settings_items :templates_ids_counter, type: Hash, default: {}
  
-  attr_accessible :comment_counter, :community_counter, :user_counter, :enterprise_counter, :product_counter, :category_counter, :tag_counter, :hit_counter, :templates_ids_counter
-
   USER_COUNTERS = [:community_counter, :user_counter, :enterprise_counter, :tag_counter, :comment_counter, :hit_counter]
   COMMUNITY_COUNTERS = [:user_counter, :tag_counter, :comment_counter, :hit_counter]
   ENTERPRISE_COUNTERS = [:user_counter, :tag_counter, :comment_counter, :hit_counter]
 require_dependency 'person'
  
 class Person
-  attr_accessible :usp_id, :invitation_code
  
   SEARCHABLE_FIELDS[:usp_id] = {:label => _('USP Number'), :weight => 5}
  
@@ -23,4 +22,5 @@ class Person
     Task.pending.where(code: invitation_code.to_s).first or
       Task.finished.where(code: invitation_code.to_s, target_id: id).first
   end
+
 end
@@ -21,7 +21,7 @@ class AccountControllerTest &lt; ActionController::TestCase
     @controller = AccountController.new
     @request    = ActionController::TestRequest.new
     @response   = ActionController::TestResponse.new
-    StoaPlugin::UspUser.create!({:codpes => 12345678, :cpf => Digest::MD5.hexdigest(SALT+'12345678'), :birth_date => '1970-01-30'}, :without_protection => true)
+    StoaPlugin::UspUser.create! codpes: 12345678, cpf: Digest::MD5.hexdigest(SALT+'12345678'), birth_date: '1970-01-30'
     Environment.default.enable_plugin(StoaPlugin.name)
     @user = create_user('joao-stoa', {:password => 'pass', :password_confirmation => 'pass'},:usp_id=>'87654321')
     @user.activate
@@ -16,7 +16,7 @@ class StoaPlugin::UspUserTest &lt; ActiveSupport::TestCase
   ActiveRecord::Base.establish_connection(:test)
  
   def setup
-    StoaPlugin::UspUser.create({:codpes => 123456, :cpf => Digest::MD5.hexdigest(SALT+'12345678'), :birth_date => '1970-01-30'}, :without_protection => true)
+    StoaPlugin::UspUser.create codpes: 123456, cpf: Digest::MD5.hexdigest(SALT+'12345678'), birth_date: '1970-01-30'
   end
  
   should 'check existence of usp_id' do
@@ -2,8 +2,6 @@ require_dependency &#39;organization&#39;
 class Organization
   settings_items :sub_organizations_plugin_parent_to_be
  
-  attr_accessible :sub_organizations_plugin_parent_to_be
-
   after_create do |organization|
     if organization.sub_organizations_plugin_parent_to_be.present?
       parent = Organization.find(organization.sub_organizations_plugin_parent_to_be)
@@ -2,8 +2,6 @@ class RelatedOrganizationsBlock &lt; ProfileListBlock
  
   settings_items :organization_type, :type => :string, :default => 'both'
  
-  attr_accessible :organization_type
-
   def self.description
     _("Related Organizations")
   end
@@ -6,8 +6,6 @@ class SubOrganizationsPlugin::ApprovePaternityRelation &lt; ActiveRecord::Base
  
   validates_presence_of :task, :parent, :child
  
-  attr_accessible :task, :parent, :child
-
   class << self
     def parent_approval(task)
       find_by_task_id(task.id).parent
@@ -8,8 +8,6 @@ class SubOrganizationsPlugin::Relation &lt; ActiveRecord::Base
   validate :no_cyclical_reference, :if => 'parent.present? && child.present?'
   validate :no_multi_level, :if => 'parent.present? && child.present?'
  
-  attr_accessible :parent, :child
-
   def no_self_reference
     errors.add(:child, c_('self-reference is not allowed.')) if parent == child
   end
@@ -1,8 +0,0 @@
-require_dependency 'price_detail'
-
-class PriceDetail
-
-  # should be on core, used by SuppliersPlugin::Import
-  attr_accessible :production_cost
-
-end
@@ -28,18 +28,12 @@ class Product
     ProductCategory.find products.collect(&:product_category_id).compact.select{ |id| not id.zero? }
   end
  
-  attr_accessible :external_id
   settings_items :external_id, type: String, default: nil
  
-  # should be on core, used by SuppliersPlugin::Import
-  attr_accessible :price_details
-
 end
  
 class Product
  
-  attr_accessible :from_products, :from_product, :supplier_id, :supplier
-
   has_many :sources_from_products, foreign_key: :to_product_id, class_name: 'SuppliersPlugin::SourceProduct', dependent: :destroy
   has_one  :sources_from_product,  foreign_key: :to_product_id, class_name: 'SuppliersPlugin::SourceProduct'
   has_many :sources_to_products, foreign_key: :from_product_id, class_name: 'SuppliersPlugin::SourceProduct', dependent: :destroy
@@ -2,9 +2,6 @@
 # cycle.products will go to an infinite loop
 class SuppliersPlugin::BaseProduct < Product
  
-  attr_accessible :default_margin_percentage, :margin_percentage, :default_unit, :unit_detail,
-    :supplier_product_attributes
-
   accepts_nested_attributes_for :supplier_product
  
   default_scope -> {
 class SuppliersPlugin::DistributedProduct < SuppliersPlugin::BaseProduct
  
-  attr_accessible :from_products
-
-  # missed from lib/ext/product.rb because of STI
-  attr_accessible :external_id, :price_details
-
   validates_presence_of :supplier
  
   def supplier_price
 class SuppliersPlugin::SourceProduct < ActiveRecord::Base
  
-  attr_accessible :from_product, :to_product, :quantity
-
   default_scope -> { includes :from_product, :to_product }
  
   belongs_to :from_product, class_name: 'Product'
@@ -2,8 +2,6 @@ class SuppliersPlugin::Supplier &lt; ActiveRecord::Base
  
   attr_accessor :distribute_products_on_create, :dont_destroy_dummy, :identifier_from_name
  
-  attr_accessible :profile_id, :profile, :consumer, :consumer_id, :name, :name_abbreviation, :description
-
   belongs_to :profile
   belongs_to :consumer, class_name: 'Profile'
   alias_method :supplier, :profile
 class ToleranceTimePlugin::Publication < ActiveRecord::Base
  
   belongs_to :target, :polymorphic => true
+
   validates_presence_of :target_id, :target_type
   validates_uniqueness_of :target_id, :scope => :target_type
-  attr_accessible :target
  
   class << self
     def find_by_target(target)
 class ToleranceTimePlugin::Tolerance < ActiveRecord::Base
  
   belongs_to :profile
+
   validates_presence_of :profile_id
   validates_uniqueness_of :profile_id
   validates_numericality_of :content_tolerance, :only_integer => true, :allow_nil => true
   validates_numericality_of :comment_tolerance, :only_integer => true, :allow_nil => true
-  attr_accessible :profile, :content_tolerance, :comment_tolerance
  
 end
 class VideoPlugin::VideoBlock < Block
  
-  attr_accessible :url, :width, :height
-
   settings_items :url, :type => :string, :default => ""
   settings_items :width, :type => :integer, :default => 400
   settings_items :height, :type => :integer, :default => 315
 require_dependency 'profile'
  
-# attr_accessible must be defined on subclasses
-Profile.descendants.each do |subclass|
-  subclass.class_eval do
-    attr_accessible :volunteers_settings
-  end
-end
-
 class Profile
  
   def volunteers_settings attrs = {}
 class VolunteersPlugin::Assignment < ActiveRecord::Base
  
-  attr_accessible :profile_id
-
   belongs_to :profile
   belongs_to :period, class_name: 'VolunteersPlugin::Period'
  
 class VolunteersPlugin::Period < ActiveRecord::Base
  
-  attr_accessible :name
-  attr_accessible :start, :end
-  attr_accessible :owner_type
-  attr_accessible :minimum_assigments
-  attr_accessible :maximum_assigments
-
   belongs_to :owner, polymorphic: true
  
   has_many :assignments, class_name: 'VolunteersPlugin::Assignment', foreign_key: :period_id, include: [:profile], dependent: :destroy
@@ -4,10 +4,6 @@ class WorkAssignmentPlugin::WorkAssignment &lt; Folder
   settings_items :default_email, :type => :string, :default => ""
   settings_items :allow_visibility_edition, :type => :boolean, :default => false
  
-  attr_accessible :publish_submissions
-  attr_accessible :default_email
-  attr_accessible :allow_visibility_edition
-
   def self.icon_name(article = nil)
     'work-assignment'
   end
@@ -39,16 +35,13 @@ class WorkAssignmentPlugin::WorkAssignment &lt; Folder
   end
  
   def find_or_create_author_folder(author)
-    children.find_by(slug: author.name.to_slug) || Folder.create!(
-                                                                {
-                                                                  :name => author.name,
-                                                                  :parent => self,
-                                                                  :profile => profile,
-                                                                  :author => author,
-                                                                  :published => publish_submissions,
-                                                                },
-                                                                :without_protection => true
-                                                  )
+    children.find_by_slug(author.name.to_slug) || Folder.create!(
+      name:      author.name,
+      parent:    self,
+      profile:   profile,
+      author:    author,
+      published: publish_submissions,
+    )
   end
  
   def submissions
@@ -22,16 +22,7 @@ class WorkAssignmentPluginMyprofileControllerTest &lt; ActionController::TestCase
     work_assignment.save!
     assert_equal false, work_assignment.allow_visibility_edition
     parent = work_assignment.find_or_create_author_folder(@person)
-    UploadedFile.create(
-            {
-              :uploaded_data => fixture_file_upload('/files/test.txt', 'text/plain'),
-              :profile => @organization,
-              :parent => parent,
-              :last_changed_by => @person,
-              :author => @person,
-            },
-            :without_protection => true
-          )
+    create_uploaded_file
     submission = UploadedFile.find_by filename: 'test.txt'
     assert_equal false, submission.published
     assert_equal false, submission.parent.published
@@ -67,16 +58,7 @@ class WorkAssignmentPluginMyprofileControllerTest &lt; ActionController::TestCase
     assert_equal true, work_assignment.allow_visibility_edition
     work_assignment.save!
     parent = work_assignment.find_or_create_author_folder(@person)
-    UploadedFile.create(
-            {
-              :uploaded_data => fixture_file_upload('/files/test.txt', 'text/plain'),
-              :profile => @organization,
-              :parent => parent,
-              :last_changed_by => @person,
-              :author => @person,
-            },
-            :without_protection => true
-          )
+    create_uploaded_file
     logout
     submission = UploadedFile.find_by filename: 'test.txt'
     assert_equal false, submission.parent.published
@@ -95,19 +77,9 @@ class WorkAssignmentPluginMyprofileControllerTest &lt; ActionController::TestCase
     @organization.add_member(@person) # current_user is a member
     work_assignment = create_work_assignment('Another Work Assignment', @organization, nil, true)
     parent = work_assignment.find_or_create_author_folder(@person)
-    UploadedFile.create(
-            {
-              :uploaded_data => fixture_file_upload('/files/test.txt', 'text/plain'),
-              :profile => @organization,
-              :parent => parent,
-              :last_changed_by => @person,
-              :author => @person,
-            },
-            :without_protection => true
-          )
+    create_uploaded_file
     logout
  
-
     other_person = create_user('other_user').person
     @organization.add_member(other_person)
     login_as :other_user
@@ -133,16 +105,7 @@ class WorkAssignmentPluginMyprofileControllerTest &lt; ActionController::TestCase
     @organization.add_member(other_person)
     work_assignment = create_work_assignment('Another Work Assignment', @organization, false,  true)
     parent = work_assignment.find_or_create_author_folder(@person)
-    UploadedFile.create(
-            {
-              :uploaded_data => fixture_file_upload('/files/test.txt', 'text/plain'),
-              :profile => @organization,
-              :parent => parent,
-              :last_changed_by => @person,
-              :author => @person,
-            },
-            :without_protection => true
-          )
+    create_uploaded_file
     submission = UploadedFile.find_by filename: 'test.txt'
     assert_equal false, submission.article_privacy_exceptions.include?(other_person)
     post :edit_visibility, :profile => @organization.identifier, :article_id  => parent.id, :article => { :published => false }, :q => other_person.id
@@ -155,16 +118,7 @@ class WorkAssignmentPluginMyprofileControllerTest &lt; ActionController::TestCase
     @organization.add_member(@person) # current_user is a member
     work_assignment = create_work_assignment('Work Assignment', @organization, nil, true)
     parent = work_assignment.find_or_create_author_folder(@person)
-    UploadedFile.create(
-            {
-              :uploaded_data => fixture_file_upload('/files/test.txt', 'text/plain'),
-              :profile => @organization,
-              :parent => parent,
-              :last_changed_by => @person,
-              :author => @person,
-            },
-            :without_protection => true
-          )
+    create_uploaded_file
     @organization.remove_member(@person)
     submission = UploadedFile.find_by filename: 'test.txt'
  
@@ -182,7 +136,18 @@ class WorkAssignmentPluginMyprofileControllerTest &lt; ActionController::TestCase
   end
  
   private
-    def create_work_assignment(name = nil, profile = nil, publish_submissions = nil, allow_visibility_edition = nil)
-      @work_assignment = WorkAssignmentPlugin::WorkAssignment.create!(:name => name, :profile => profile, :publish_submissions => publish_submissions, :allow_visibility_edition => allow_visibility_edition)
-    end
+
+  def create_work_assignment(name = nil, profile = nil, publish_submissions = nil, allow_visibility_edition = nil)
+    @work_assignment = WorkAssignmentPlugin::WorkAssignment.create!(:name => name, :profile => profile, :publish_submissions => publish_submissions, :allow_visibility_edition => allow_visibility_edition)
+  end
+
+  def create_uploaded_file
+    UploadedFile.create(
+      uploaded_data:   fixture_file_upload('/files/test.txt', 'text/plain'),
+      profile:         @organization,
+      parent:          parent,
+      last_changed_by: @person,
+      author:          @person,
+    )
+  end
 end
 require 'test_helper'
  
 class WorkAssignmentPluginTest < ActiveSupport::TestCase
+
   should 'verify if a content is a work_assignment submission' do
     organization = fast_create(Organization)
     folder = fast_create(Folder)
     person = fast_create(Person)
-    content = UploadedFile.create(
-            {
-              :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'),
-              :profile => organization,
-              :parent => folder,
-              :last_changed_by => person,
-              :author => person,
-            },
-            :without_protection => true
-          )
+
+    create_uploaded_file organization, folder, person
     refute WorkAssignmentPlugin.is_submission?(content)
  
     work_assignment = WorkAssignmentPlugin::WorkAssignment.create!(:name => 'Work Assignment', :profile => organization)
@@ -64,15 +57,16 @@ class WorkAssignmentPluginTest &lt; ActiveSupport::TestCase
     organization.add_member(author)
     work_assignment ||= WorkAssignmentPlugin::WorkAssignment.create!(:name => 'Work Assignment', :profile => organization)
     author_folder = work_assignment.find_or_create_author_folder(author)
-    content = UploadedFile.create(
-            {
-              :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'),
-              :profile => organization,
-              :parent => author_folder,
-              :last_changed_by => author,
-              :author => author,
-            },
-            :without_protection => true
-          )
+    create_uploaded_file organization, author_folder, author
+  end
+
+  def create_uploaded_file organization, parent, author
+    UploadedFile.create(
+      uploaded_data:   fixture_file_upload('/files/rails.png', 'image/png'),
+      profile:         organization,
+      parent:          parent,
+      last_changed_by: author,
+      author:          author,
+    )
   end
 end
@@ -143,7 +143,7 @@ class ContentViewerControllerTest &lt; ActionController::TestCase
  
   should 'not display forbidden articles' do
     profile.articles.create!(:name => 'test')
-    profile.update!({:public_content => false}, :without_protection => true)
+    profile.update! public_content: false
  
     Article.any_instance.expects(:display_to?).with(anything).returns(false)
     get :view_page, :profile => profile.identifier, :page => [ 'test' ]
@@ -152,7 +152,7 @@ class ContentViewerControllerTest &lt; ActionController::TestCase
  
   should 'display allowed articles' do
     profile.articles.create!(:name => 'test')
-    profile.update!({:public_content => false}, :without_protection => true)
+    profile.update! public_content: false
  
     Article.any_instance.expects(:display_to?).with(anything).returns(true)
     get :view_page, :profile => profile.identifier, :page => [ 'test' ]
@@ -40,7 +40,8 @@ class ProfileRolesControllerTest &lt; ActionController::TestCase
     community = fast_create(Community)
     admin = create_user_with_permission('admin_user', 'manage_custom_roles', community)
     login_as :admin_user
-    role = Role.create!({:name => 'delete_article', :key => 'profile_delete_article', :profile_id => community.id, :environment => Environment.default}, :without_protection => true)
+    role = Role.create! name: 'delete_article', key: 'profile_delete_article',
+      profile_id: community.id, environment: Environment.default
     post :remove , :profile => community.identifier, :id => role.id
  
     assert_response :redirect
@@ -53,7 +54,8 @@ class ProfileRolesControllerTest &lt; ActionController::TestCase
     community = fast_create(Community)
     admin = create_user_with_permission('admin_user', 'manage_custom_roles', community)
     login_as :admin_user
-    role = Role.create!({:name => 'delete_article', :key => 'profile_delete_article', :profile_id => community.id, :environment => Environment.default}, :without_protection => true)
+    role = Role.create! name: 'delete_article', key: 'profile_delete_article',
+      profile_id: community.id, environment: Environment.default
     admin.add_role(role, community)
     moderator_role = Role.find_by(name: "moderator")
  
@@ -72,7 +74,8 @@ class ProfileRolesControllerTest &lt; ActionController::TestCase
     community = fast_create(Community)
     admin = create_user_with_permission('admin_user', 'manage_custom_roles', community)
     login_as :admin_user
-    role = Role.create!({:name => 'delete_article', :key => 'profile_delete_article', :profile_id => community.id, :environment => Environment.default}, :without_protection => true)
+    role = Role.create! name: 'delete_article', key: 'profile_delete_article',
+      profile_id: community.id, environment: Environment.default
  
     assert_not_includes community.members_by_role(role), admin
  
@@ -86,7 +89,8 @@ class ProfileRolesControllerTest &lt; ActionController::TestCase
     admin = create_user_with_permission('admin_user', 'manage_custom_roles', community)
     moderator = create_user_with_permission('profile_admin', 'edit_profile', community)
     login_as :admin_user
-    role = Role.create!({:name => 'delete_article', :key => 'profile_delete_article', :profile_id => community.id, :environment => Environment.default}, :without_protection => true)
+    role = Role.create! name: 'delete_article', key: 'profile_delete_article',
+      profile_id: community.id, environment: Environment.default
     moderator_role = Role.find_by(name: "moderator")
     admin.add_role(moderator_role, community)
  
@@ -44,7 +44,7 @@ module Noosfero::Factory
     data = defaults_for(name).merge(attrs)
     object = name.to_s.camelize.constantize.new
     if object.respond_to?(:assign_attributes)
-      object.assign_attributes(data, :without_protection => true)
+      object.assign_attributes data
     else
       data.each { |attribute, value| object.send(attribute.to_s+'=', value) }
     end
@@ -8,7 +8,6 @@ class ActsAsHavingSettingsTest &lt; ActiveSupport::TestCase
     settings_items :flag_disabled_by_default, type: :boolean, default: false
     # to test that 'name' will be symbolized (see below)
     settings_items 'name', type: :string, default: N_('ENGLISH TEXT')
-    attr_accessible :flag, :name, :flag_disabled_by_default
   end
  
   should 'store settings in a hash' do
@@ -10,7 +10,6 @@ class ProfileActivityTest &lt; ActiveSupport::TestCase
     profile = fast_create Person
     target = fast_create Person
  
-    ActionTracker::Record.attr_accessible :created_at, :updated_at
     tracker = ActionTracker::Record.create! verb: :leave_scrap, user: profile, target: target, created_at: Time.now-2.days, updated_at: Time.now-1.day
  
     pa = ProfileActivity.create! profile: profile, activity: tracker
 class Role < ActiveRecord::Base
  
-  attr_accessible :key, :name, :environment, :permissions
-
   has_many :role_assignments, :dependent => :destroy
+
   belongs_to :environment
   belongs_to :organization
+
   serialize :permissions, Array
+
   validates_presence_of :name
   validates_uniqueness_of :name, :scope => :environment_id
   validates_uniqueness_of :key, :if => lambda { |role| !role.key.blank? }, :scope => :environment_id
+
   before_validation :create_key, :on => :create
  
   def initialize(*args)
 class RoleAssignment < ActiveRecord::Base
  
-  attr_accessible :accessor_id, :accessor_type, :role_id, :resource_id, :resource_type, :created_at
-
   belongs_to :role
   belongs_to :accessor, :polymorphic => true
   belongs_to :resource, :polymorphic => true
@@ -3,10 +3,6 @@ require File.dirname(__FILE__) + &#39;/test_helper&#39;
  
 class ActAsAccessorTest < Test::Unit::TestCase
  
-  def setup
-    RoleAssignment.attr_accessible :accessor
-  end
-
   def test_can_have_role_in_respect_to_an_resource
     res = AccessControlTestResource.create!(:name => 'bla')
     a = AccessControlTestAccessor.create!(:name => 'ze')
@@ -57,7 +53,7 @@ class ActAsAccessorTest &lt; Test::Unit::TestCase
     a = AccessControlTestAccessor.create!(:name => 'ze')
     role = Role.create!(:name => 'an_author', :permissions => ['bli'])
  
-    assert !a.role_assignments.map{|ra|[ra.role, ra.accessor, ra.resource]}.include?([role, a, res]) 
+    assert !a.role_assignments.map{|ra|[ra.role, ra.accessor, ra.resource]}.include?([role, a, res])
     assert !a.remove_role(role, res)
   end
  
@@ -2,17 +2,13 @@ require File.dirname(__FILE__) + &#39;/test_helper&#39;
  
 class RoleAssignmentTest < Test::Unit::TestCase
  
-  def setup
-    RoleAssignment.attr_accessible :is_global, :role, :accessor, :resource
-  end
-
   def test_has_global_permission
     role = Role.create(:name => 'new_role', :permissions => ['permission'])
     ra = RoleAssignment.create(:role_id => role.id, :is_global => true)
     assert ra.has_permission?('permission', 'global')
     assert !ra.has_permission?('not_permitted', 'global')
-  end  
-  
+  end
+
   def test_has_global_permission_with_global_resource
     role = Role.create(:name => 'new_role', :permissions => ['permission'])
     accessor = AccessControlTestAccessor.create(:name => 'accessor')
@@ -4,8 +4,6 @@ require File.join(File.dirname(__FILE__), &#39;test_helper&#39;)
 class RoleTest < Test::Unit::TestCase
  
   def setup
-    RoleAssignment.attr_accessible :role, :accessor
-    Role.attr_accessible :system
     Role.delete_all
   end
  
@@ -15,11 +13,11 @@ class RoleTest &lt; Test::Unit::TestCase
     assert role.save
     assert_equal count + 1, Role.count
   end
-  
+
   def test_uniqueness_of_name
     Role.create(:name => 'role_name')
     role = Role.new(:name => 'role_name')
-    assert ! role.save    
+    assert ! role.save
   end
  
   def test_uniqueness_of_key
@@ -18,7 +18,6 @@ RoleAssignment.table_name = &#39;access_control_test_role_assignments&#39;
 class AccessControlTestAccessor < ActiveRecord::Base
   self.table_name = 'access_control_test_accessors'
   acts_as_accessor
-  attr_accessible :name
   def cache_keys(arg)
     []
   end
@@ -32,8 +31,6 @@ class AccessControlTestResource &lt; ActiveRecord::Base
   self.table_name = 'access_control_test_resources'
   acts_as_accessible
   PERMISSIONS[self.class.name] = {'bla' => N_('Bla')}
-
-  attr_accessible :name
 end
  
 # controller to test protection
 module ActionTracker
   class Record < ActiveRecord::Base
-    attr_accessible :verb, :params, :user, :target
  
     self.table_name = 'action_tracker'
  
@@ -15,8 +15,6 @@ class Vote &lt; ActiveRecord::Base
   belongs_to :voteable, :polymorphic => true
   belongs_to :voter,    :polymorphic => true
  
-  attr_accessible :vote, :voter, :voteable
-
   # Uncomment this to limit users to a single vote on each item.
   #validates_uniqueness_of :voteable_id, :scope => [:voteable_type, :voter_type, :voter_id]
...	...	@@ -49,7 +49,6 @@ gem 'sass-rails'
49	49	gem 'sprockets-rails', '~> 2.1'
50	50
51	51	# gems to enable rails3 behaviour
52		-gem 'protected_attributes'
53	52	gem 'rails-observers', github: 'rails/rails-observers'
54	53	gem 'actionpack-page_caching'
55	54	gem 'actionpack-action_caching'
...	...
...	...	@@ -207,14 +207,11 @@ class CmsController < MyProfileController
207	207	params[:uploaded_files].each do \|file\|
208	208	unless file == ''
209	209	@uploaded_files << UploadedFile.create(
210		- {
211		- :uploaded_data => file,
212		- :profile => profile,
213		- :parent => @parent,
214		- :last_changed_by => user,
215		- :author => user,
216		- },
217		- :without_protection => true
	210	+ uploaded_data: file,
	211	+ profile: profile,
	212	+ parent: @parent,
	213	+ last_changed_by: user,
	214	+ author: user,
218	215	)
219	216	end
220	217	end
...	...
...	...	@@ -86,7 +86,7 @@ class ManageProductsController < ApplicationController
86	86	@edit = true
87	87	@level = @category.level
88	88	if request.post?
89		- if @product.update({:product_category_id => params[:selected_category_id]}, :without_protection => true)
	89	+ if @product.update product_category_id: params[:selected_category_id]
90	90	render :partial => 'shared/redirect_via_javascript',
91	91	:locals => { :url => url_for(:controller => 'manage_products', :action => 'show', :id => @product) }
92	92	else
...	...
...	...	@@ -12,7 +12,7 @@ class ProfileRolesController < MyProfileController
12	12	end
13	13
14	14	def create
15		- @role = Role.new({:name => params[:role][:name], :permissions => params[:role][:permissions], :environment => environment }, :without_protection => true)
	15	+ @role = Role.new name: params[:role][:name], permissions: params[:role][:permissions], environment: environment
16	16	if @role.save
17	17	profile.custom_roles << @role
18	18	redirect_to :action => 'show', :id => @role
...	...
...	...	@@ -4,8 +4,6 @@ class Mailing < ActiveRecord::Base
4	4
5	5	acts_as_having_settings :field => :data
6	6
7		- attr_accessible :subject, :body, :data
8		-
9	7	validates_presence_of :source_id, :subject, :body
10	8	belongs_to :source, :foreign_key => :source_id, :polymorphic => true
11	9	belongs_to :person
...	...
1	1	class AbuseReport < ActiveRecord::Base
2	2
3		- attr_accessible :content, :reason
4		-
5	3	belongs_to :reporter, :class_name => 'Person'
6	4	belongs_to :abuse_complaint
7	5	has_many :reported_images, :dependent => :destroy
...	...
...	...	@@ -8,8 +8,6 @@ class ActionTrackerNotification < ActiveRecord::Base
8	8	validates_presence_of :profile_id, :action_tracker_id
9	9	validates_uniqueness_of :action_tracker_id, :scope => :profile_id
10	10
11		- attr_accessible :profile_id, :action_tracker_id
12		-
13	11	end
14	12
15	13	ActionTracker::Record.has_many :action_tracker_notifications, :class_name => 'ActionTrackerNotification', :foreign_key => 'action_tracker_id', :dependent => :destroy
...	...
...	...	@@ -8,7 +8,7 @@ class ApproveComment < Task
8	8	def comment
9	9	unless @comment \|\| self.comment_attributes.nil?
10	10	@comment = Comment.new
11		- @comment.assign_attributes(ActiveSupport::JSON.decode(self.comment_attributes.to_s), :without_protection => true)
	11	+ @comment.assign_attributes ActiveSupport::JSON.decode(self.comment_attributes.to_s)
12	12	end
13	13	@comment
14	14	end
...	...
1	1
2	2	class Article < ActiveRecord::Base
3	3
4		- attr_accessible :name, :body, :abstract, :profile, :tag_list, :parent,
5		- :allow_members_to_edit, :translation_of_id, :language,
6		- :license_id, :parent_id, :display_posts_in_current_language,
7		- :category_ids, :posts_per_page, :moderate_comments,
8		- :accept_comments, :feed, :published, :source, :source_name,
9		- :highlighted, :notify_comments, :display_hits, :slug,
10		- :external_feed_builder, :display_versions, :external_link,
11		- :image_builder, :show_to_followers,
12		- :author, :display_preview, :published_at, :person_followers
13		-
14	4	acts_as_having_image
15	5	include Noosfero::Plugin::HotSpot
16	6
...	...
1	1	class ArticleBlock < Block
2	2
3		- attr_accessible :article_id
4		-
5	3	def self.description
6	4	_('Display one of your contents.')
7	5	end
...	...