Merge branch 'master' of abf.rosalinux.ru:abf/rosa-build

Gemfile

@@ -6,8 +6,6 @@ gem 'activeadmin',                      github: 'activeadmin'
 gem 'pg'
 gem 'schema_plus', '~> 1.5'
 ########
-gem 'protected_attributes'
-########
 gem 'devise'
 gem 'omniauth'
 gem 'omniauth-facebook'

Gemfile.lock

@@ -10,9 +10,9 @@ GIT
 
 GIT
   remote: git://github.com/activeadmin/activeadmin.git
-  revision: e27ccba8a7ea1f7f3085748decec1f6911f6d5d2
+  revision: 9c46b14ea0d9b3aaaa3d7520555c9959d06ce7f3
   specs:
-    activeadmin (1.0.0.pre)
+    activeadmin (1.0.0.pre1)
       arbre (~> 1.0, >= 1.0.2)
       bourbon
       coffee-rails
@@ -104,7 +104,7 @@ GEM
     bootstrap-sass (3.3.3)
       autoprefixer-rails (>= 5.0.0.1)
       sass (>= 3.2.19)
-    bourbon (4.2.1)
+    bourbon (4.2.3)
       sass (~> 3.4)
       thor
     builder (3.2.2)
@@ -130,10 +130,10 @@ GEM
     coffee-rails (4.1.0)
       coffee-script (>= 2.2.0)
       railties (>= 4.0.0, < 5.0)
-    coffee-script (2.3.0)
+    coffee-script (2.4.1)
       coffee-script-source
       execjs
-    coffee-script-source (1.9.1)
+    coffee-script-source (1.9.1.1)
     compass (1.0.3)
       chunky_png (~> 1.2)
       compass-core (~> 1.0.2)
@@ -170,7 +170,7 @@ GEM
     erubis (2.7.0)
     escape_utils (1.0.1)
     eventmachine (1.0.5)
-    execjs (2.3.0)
+    execjs (2.5.2)
     expression_parser (0.9.0)
     factory_girl (4.5.0)
       activesupport (>= 3.0.0)
@@ -184,7 +184,7 @@ GEM
       railties (>= 3.2, < 5.0)
     formtastic (3.1.3)
       actionpack (>= 3.2.13)
-    formtastic_i18n (0.1.1)
+    formtastic_i18n (0.4.1)
     friendly_id (5.1.0)
       activerecord (>= 4.0.0)
     gemoji (2.1.0)
@@ -244,7 +244,7 @@ GEM
     jquery-rails (3.1.2)
       railties (>= 3.0, < 5.0)
       thor (>= 0.14, < 2.0)
-    jquery-ui-rails (5.0.3)
+    jquery-ui-rails (5.0.5)
       railties (>= 3.2.16)
     js-routes (1.0.0)
       railties (>= 3.2)
@@ -280,7 +280,7 @@ GEM
       railties (>= 3.0.0, < 5.0.0)
     mime-types (1.25.1)
     mini_portile (0.6.2)
-    minitest (5.6.0)
+    minitest (5.6.1)
     mock_redis (0.14.0)
     momentjs-rails (2.9.0)
       railties (>= 3.1)
@@ -339,11 +339,9 @@ GEM
       cocaine (~> 0.5.3)
       mime-types
     pg (0.18.1)
-    polyamorous (1.1.0)
+    polyamorous (1.2.0)
       activerecord (>= 3.0)
     posix-spawn (0.3.10)
-    protected_attributes (1.0.9)
-      activemodel (>= 4.0.1, < 5.0)
     puma (2.11.1)
       rack (>= 1.1, < 2.0)
     pundit (0.3.0)
@@ -351,7 +349,7 @@ GEM
     pygments.rb (0.6.2)
       posix-spawn (~> 0.3.6)
       yajl-ruby (~> 1.2.0)
-    rack (1.5.2)
+    rack (1.5.3)
     rack-contrib (1.2.0)
       rack (>= 0.9.1)
     rack-mini-profiler (0.9.3)
@@ -385,12 +383,12 @@ GEM
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
     rake (10.4.2)
-    ransack (1.6.3)
+    ransack (1.6.6)
       actionpack (>= 3.0)
       activerecord (>= 3.0)
       activesupport (>= 3.0)
       i18n
-      polyamorous (~> 1.1)
+      polyamorous (~> 1.2)
     rb-fsevent (0.9.4)
     rb-inotify (0.9.5)
       ffi (>= 0.5.0)
@@ -471,7 +469,7 @@ GEM
     safe_yaml (1.0.4)
     sanitize (2.1.0)
       nokogiri (>= 1.4.4)
-    sass (3.4.13)
+    sass (3.4.14)
     sass-rails (5.0.1)
       railties (>= 4.0.0, < 5.0)
       sass (~> 3.1)
@@ -514,7 +512,7 @@ GEM
       multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.2.4)
+    sprockets-rails (2.3.1)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
@@ -636,7 +634,6 @@ DEPENDENCIES
   paperclip
   perform_later!
   pg
-  protected_attributes
   puma
   pundit
   rack-mini-profiler

app/admin/build_scripts.rb

@@ -1,4 +1,5 @@
 ActiveAdmin.register BuildScript do
+  permit_params :project_name, :treeish, :commit, :sha1, :status
 
   menu priority: 4
 

app/admin/flash_notifies.rb

@@ -1,4 +1,5 @@
 ActiveAdmin.register FlashNotify do
+  permit_params :body_ru, :body_en, :status, :published
 
   menu parent: 'Misc'
 

app/admin/node_instructions.rb

@@ -1,4 +1,5 @@
 ActiveAdmin.register NodeInstruction do
+  permit_params :instruction, :user_id, :output, :status
 
   menu priority: 3
 

app/assets/stylesheets/BootstrapXL.css

@@ -0,0 +1,680 @@
+/*
+*   https://github.com/lu4/BootstrapXL/blob/7c64e2ea5ee1f72ed3db9892c091d5a0380c4518/BootstrapXL.css
+*
+*   CSS file with Bootstrap grid classes for screens bigger than 1600px. Just add this file after the Bootstrap CSS file and you will be able to use col-xl, col-xl-push, hidden-xl, etc.
+*
+*   Author: Marc van Nieuwenhuijzen
+*   Company: WebVakman
+*   Site: WebVakman.nl
+*
+*/
+.visible-xs,
+.visible-xs-block,
+.visible-xs-inline,
+.visible-xs-inline-block,
+.visible-sm,
+.visible-sm-block,
+.visible-sm-inline,
+.visible-sm-inline-block,
+.visible-md,
+.visible-md-block,
+.visible-md-inline,
+.visible-md-inline-block,
+.visible-lg,
+.visible-lg-block,
+.visible-lg-inline,
+.visible-lg-inline-block,
+.visible-xl,
+.visible-xl-block,
+.visible-xl-inline,
+.visible-xl-inline-block,
+.visible-xx,
+.visible-xx-block,
+.visible-xx-inline,
+.visible-xx-inline-block {
+    display: none !important;
+}
+
+@media (max-width: 768px) {
+    .visible-xs {
+        display: block !important;
+    }
+
+    table.visible-xs {
+        display: table;
+    }
+
+    tr.visible-xs {
+        display: table-row !important;
+    }
+
+    th.visible-xs, td.visible-xs {
+        display: table-cell !important;
+    }
+
+    .visible-xs-block {
+        display: block !important;
+    }
+
+    .visible-xs-inline {
+        display: inline !important;
+    }
+
+    .visible-xs-inline-block {
+        display: inline-block !important;
+    }
+
+    .hidden-xs {
+        display: none !important;
+    }
+}
+
+@media (min-width: 768px) and (max-width: 991px) {
+    .visible-sm {
+        display: block !important;
+    }
+
+    table.visible-sm {
+        display: table;
+    }
+
+    tr.visible-sm {
+        display: table-row !important;
+    }
+
+    th.visible-sm, td.visible-sm {
+        display: table-cell !important;
+    }
+
+    .visible-sm-block {
+        display: block !important;
+    }
+
+    .visible-sm-inline {
+        display: inline !important;
+    }
+
+    .visible-sm-inline-block {
+        display: inline-block !important;
+    }
+
+    .hidden-sm {
+        display: none !important;
+    }
+}
+
+@media (min-width: 992px) and (max-width: 1199px) {
+    .visible-md {
+        display: block !important;
+    }
+
+    table.visible-md {
+        display: table;
+    }
+
+    tr.visible-md {
+        display: table-row !important;
+    }
+
+    th.visible-md, td.visible-md {
+        display: table-cell !important;
+    }
+
+    .visible-md-block {
+        display: block !important;
+    }
+
+    .visible-md-inline {
+        display: inline !important;
+    }
+
+    .visible-md-inline-block {
+        display: inline-block !important;
+    }
+
+    .hidden-md {
+        display: none !important;
+    }
+}
+
+@media (min-width: 1200px) {
+    .col-lg-3 {
+        width: 25%;
+    }
+
+    .visible-lg {
+        display: block !important;
+    }
+
+    table.visible-lg {
+        display: table;
+    }
+
+    tr.visible-lg {
+        display: table-row !important;
+    }
+
+    th.visible-lg, td.visible-lg {
+        display: table-cell !important;
+    }
+
+    .visible-lg-block {
+        display: block !important;
+    }
+
+    .visible-lg-inline {
+        display: inline !important;
+    }
+
+    .visible-lg-inline-block {
+        display: inline-block !important;
+    }
+
+    .hidden-lg {
+        display: none !important;
+    }
+}
+
+@media (min-width: 1600px) {
+    .visible-lg {
+        display: none !important;
+    }
+}
+
+@media (min-width: 1600px) {
+    .container {
+        width: 1570px;
+    }
+
+    .col-xl-1, .col-xl-2, .col-xl-3, .col-xl-4, .col-xl-5, .col-xl-6, .col-xl-7, .col-xl-8, .col-xl-9, .col-xl-10, .col-xl-11, .col-xl-12 {
+        float: left;
+    }
+
+    .col-xl-12 {
+        width: 100%;
+    }
+
+    .col-xl-11 {
+        width: 91.66666667%;
+    }
+
+    .col-xl-10 {
+        width: 83.33333333%;
+    }
+
+    .col-xl-9 {
+        width: 75%;
+    }
+
+    .col-xl-8 {
+        width: 66.66666667%;
+    }
+
+    .col-xl-7 {
+        width: 58.33333333%;
+    }
+
+    .col-xl-6 {
+        width: 50%;
+    }
+
+    .col-xl-5 {
+        width: 41.66666667%;
+    }
+
+    .col-xl-4 {
+        width: 33.33333333%;
+    }
+
+    .col-xl-3 {
+        width: 25%;
+    }
+
+    .col-xl-2 {
+        width: 16.66666667%;
+    }
+
+    .col-xl-1 {
+        width: 8.33333333%;
+    }
+
+    .col-xl-pull-12 {
+        right: 100%;
+    }
+
+    .col-xl-pull-11 {
+        right: 91.66666667%;
+    }
+
+    .col-xl-pull-10 {
+        right: 83.33333333%;
+    }
+
+    .col-xl-pull-9 {
+        right: 75%;
+    }
+
+    .col-xl-pull-8 {
+        right: 66.66666667%;
+    }
+
+    .col-xl-pull-7 {
+        right: 58.33333333%;
+    }
+
+    .col-xl-pull-6 {
+        right: 50%;
+    }
+
+    .col-xl-pull-5 {
+        right: 41.66666667%;
+    }
+
+    .col-xl-pull-4 {
+        right: 33.33333333%;
+    }
+
+    .col-xl-pull-3 {
+        right: 25%;
+    }
+
+    .col-xl-pull-2 {
+        right: 16.66666667%;
+    }
+
+    .col-xl-pull-1 {
+        right: 8.33333333%;
+    }
+
+    .col-xl-pull-0 {
+        right: auto;
+    }
+
+    .col-xl-push-12 {
+        left: 100%;
+    }
+
+    .col-xl-push-11 {
+        left: 91.66666667%;
+    }
+
+    .col-xl-push-10 {
+        left: 83.33333333%;
+    }
+
+    .col-xl-push-9 {
+        left: 75%;
+    }
+
+    .col-xl-push-8 {
+        left: 66.66666667%;
+    }
+
+    .col-xl-push-7 {
+        left: 58.33333333%;
+    }
+
+    .col-xl-push-6 {
+        left: 50%;
+    }
+
+    .col-xl-push-5 {
+        left: 41.66666667%;
+    }
+
+    .col-xl-push-4 {
+        left: 33.33333333%;
+    }
+
+    .col-xl-push-3 {
+        left: 25%;
+    }
+
+    .col-xl-push-2 {
+        left: 16.66666667%;
+    }
+
+    .col-xl-push-1 {
+        left: 8.33333333%;
+    }
+
+    .col-xl-push-0 {
+        left: auto;
+    }
+
+    .col-xl-offset-12 {
+        margin-left: 100%;
+    }
+
+    .col-xl-offset-11 {
+        margin-left: 91.66666667%;
+    }
+
+    .col-xl-offset-10 {
+        margin-left: 83.33333333%;
+    }
+
+    .col-xl-offset-9 {
+        margin-left: 75%;
+    }
+
+    .col-xl-offset-8 {
+        margin-left: 66.66666667%;
+    }
+
+    .col-xl-offset-7 {
+        margin-left: 58.33333333%;
+    }
+
+    .col-xl-offset-6 {
+        margin-left: 50%;
+    }
+
+    .col-xl-offset-5 {
+        margin-left: 41.66666667%;
+    }
+
+    .col-xl-offset-4 {
+        margin-left: 33.33333333%;
+    }
+
+    .col-xl-offset-3 {
+        margin-left: 25%;
+    }
+
+    .col-xl-offset-2 {
+        margin-left: 16.66666667%;
+    }
+
+    .col-xl-offset-1 {
+        margin-left: 8.33333333%;
+    }
+
+    .col-xl-offset-0 {
+        margin-left: 0;
+    }
+
+    .visible-xl {
+        display: block !important;
+    }
+
+    table.visible-xl {
+        display: table;
+    }
+
+    tr.visible-xl {
+        display: table-row !important;
+    }
+
+    th.visible-xl, td.visible-xl {
+        display: table-cell !important;
+    }
+
+    .visible-xl-block {
+        display: block !important;
+    }
+
+    .visible-xl-inline {
+        display: inline !important;
+    }
+
+    .visible-xl-inline-block {
+        display: inline-block !important;
+    }
+
+    .hidden-xl {
+        display: none !important;
+    }
+}
+
+@media (min-width: 2048px) {
+    .visible-xl {
+        display: none !important;
+    }
+}
+
+@media (min-width: 2048px) {
+    .container {
+        width: 1570px;
+    }
+
+    .col-xx-1, .col-xx-2, .col-xx-3, .col-xx-4, .col-xx-5, .col-xx-6, .col-xx-7, .col-xx-8, .col-xx-9, .col-xx-10, .col-xx-11, .col-xx-12 {
+        float: left;
+    }
+
+    .col-xx-12 {
+        width: 100%;
+    }
+
+    .col-xx-11 {
+        width: 91.66666667%;
+    }
+
+    .col-xx-10 {
+        width: 83.33333333%;
+    }
+
+    .col-xx-9 {
+        width: 75%;
+    }
+
+    .col-xx-8 {
+        width: 66.66666667%;
+    }
+
+    .col-xx-7 {
+        width: 58.33333333%;
+    }
+
+    .col-xx-6 {
+        width: 50%;
+    }
+
+    .col-xx-5 {
+        width: 41.66666667%;
+    }
+
+    .col-xx-4 {
+        width: 33.33333333%;
+    }
+
+    .col-xx-3 {
+        width: 25%;
+    }
+
+    .col-xx-2 {
+        width: 16.66666667%;
+    }
+
+    .col-xx-1 {
+        width: 8.33333333%;
+    }
+
+    .col-xx-pull-12 {
+        right: 100%;
+    }
+
+    .col-xx-pull-11 {
+        right: 91.66666667%;
+    }
+
+    .col-xx-pull-10 {
+        right: 83.33333333%;
+    }
+
+    .col-xx-pull-9 {
+        right: 75%;
+    }
+
+    .col-xx-pull-8 {
+        right: 66.66666667%;
+    }
+
+    .col-xx-pull-7 {
+        right: 58.33333333%;
+    }
+
+    .col-xx-pull-6 {
+        right: 50%;
+    }
+
+    .col-xx-pull-5 {
+        right: 41.66666667%;
+    }
+
+    .col-xx-pull-4 {
+        right: 33.33333333%;
+    }
+
+    .col-xx-pull-3 {
+        right: 25%;
+    }
+
+    .col-xx-pull-2 {
+        right: 16.66666667%;
+    }
+
+    .col-xx-pull-1 {
+        right: 8.33333333%;
+    }
+
+    .col-xx-pull-0 {
+        right: auto;
+    }
+
+    .col-xx-push-12 {
+        left: 100%;
+    }
+
+    .col-xx-push-11 {
+        left: 91.66666667%;
+    }
+
+    .col-xx-push-10 {
+        left: 83.33333333%;
+    }
+
+    .col-xx-push-9 {
+        left: 75%;
+    }
+
+    .col-xx-push-8 {
+        left: 66.66666667%;
+    }
+
+    .col-xx-push-7 {
+        left: 58.33333333%;
+    }
+
+    .col-xx-push-6 {
+        left: 50%;
+    }
+
+    .col-xx-push-5 {
+        left: 41.66666667%;
+    }
+
+    .col-xx-push-4 {
+        left: 33.33333333%;
+    }
+
+    .col-xx-push-3 {
+        left: 25%;
+    }
+
+    .col-xx-push-2 {
+        left: 16.66666667%;
+    }
+
+    .col-xx-push-1 {
+        left: 8.33333333%;
+    }
+
+    .col-xx-push-0 {
+        left: auto;
+    }
+
+    .col-xx-offset-12 {
+        margin-left: 100%;
+    }
+
+    .col-xx-offset-11 {
+        margin-left: 91.66666667%;
+    }
+
+    .col-xx-offset-10 {
+        margin-left: 83.33333333%;
+    }
+
+    .col-xx-offset-9 {
+        margin-left: 75%;
+    }
+
+    .col-xx-offset-8 {
+        margin-left: 66.66666667%;
+    }
+
+    .col-xx-offset-7 {
+        margin-left: 58.33333333%;
+    }
+
+    .col-xx-offset-6 {
+        margin-left: 50%;
+    }
+
+    .col-xx-offset-5 {
+        margin-left: 41.66666667%;
+    }
+
+    .col-xx-offset-4 {
+        margin-left: 33.33333333%;
+    }
+
+    .col-xx-offset-3 {
+        margin-left: 25%;
+    }
+
+    .col-xx-offset-2 {
+        margin-left: 16.66666667%;
+    }
+
+    .col-xx-offset-1 {
+        margin-left: 8.33333333%;
+    }
+
+    .col-xx-offset-0 {
+        margin-left: 0;
+    }
+
+    .visible-xx {
+        display: block !important;
+    }
+
+    table.visible-xx {
+        display: table;
+    }
+
+    tr.visible-xx {
+        display: table-row !important;
+    }
+
+    th.visible-xx, td.visible-xx {
+        display: table-cell !important;
+    }
+
+    .visible-xx-block {
+        display: block !important;
+    }
+
+    .visible-xx-inline {
+        display: inline !important;
+    }
+
+    .visible-xx-inline-block {
+        display: inline-block !important;
+    }
+
+    .hidden-xx {
+        display: none !important;
+    }
+}

app/assets/stylesheets/new_application.scss

@@ -37,6 +37,7 @@ $navbar-inverse-toggle-border-color:       #ddd;
 
 @import "bootstrap-sprockets";
 @import "bootstrap";
+@import "BootstrapXL";
 @import "custom_bootstrap";
 @import "timeline";
 @import "font-awesome";

app/controllers/api/v1/advisories_controller.rb

@@ -16,7 +16,7 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
   def create
     authorize :advisory
     if @build_list.can_attach_to_advisory? &&
-        @build_list.associate_and_create_advisory(params[:advisory]) &&
+        @build_list.associate_and_create_advisory(advisory_params) &&
         @build_list.save
       render_json_response @build_list.advisory, 'Advisory has been created successfully'
     else
@@ -35,6 +35,10 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
 
   protected
 
+  def advisory_params
+    subject_params(Advisory)
+  end
+
   def load_build_list
     @build_list = BuildList.find params[:build_list_id]
     authorize @build_list.save_to_platform, :local_admin_manage?

app/controllers/api/v1/base_controller.rb

@@ -85,7 +85,7 @@ class Api::V1::BaseController < ApplicationController
   def update_subject(subject)
     authorize subject, :update?
     class_name = subject.class.name
-    if subject.update_attributes(params[class_name.underscore.to_sym] || {})
+    if subject.update_attributes(subject_params(subject.class, subject))
       render_json_response subject, "#{class_name} has been updated successfully"
     else
       render_validation_error subject, "#{class_name} has not been updated"

app/controllers/api/v1/build_lists_controller.rb

@@ -33,13 +33,11 @@ class Api::V1::BuildListsController < Api::V1::BaseController
   end
 
   def create
-    bl_params = params[:build_list] || {}
+    save_to_repository = Repository.find_by(id: build_list_params[:save_to_repository_id])
-    save_to_repository = Repository.where(id: bl_params[:save_to_repository_id]).first
 
-    bl_params[:save_to_platform_id] = save_to_repository.platform_id if save_to_repository
+    @build_list                  = current_user.build_lists.new(build_list_params)
-
+    @build_list.save_to_platform = save_to_repository.platform if save_to_repository
-    @build_list = current_user.build_lists.new(bl_params)
+    @build_list.priority         = current_user.build_priority # User builds more priority than mass rebuild with zero priority
-    @build_list.priority = current_user.build_priority # User builds more priority than mass rebuild with zero priority
 
     create_subject @build_list
   end
@@ -79,6 +77,10 @@ class Api::V1::BuildListsController < Api::V1::BaseController
 
   private
 
+  def build_list_params
+    subject_params(BuildList)
+  end
+
   # Private: before_action hook which loads BuidList.
   def load_build_list
     @build_list = BuildList.find params[:id]

app/controllers/api/v1/groups_controller.rb

@@ -28,7 +28,8 @@ class Api::V1::GroupsController < Api::V1::BaseController
   end
 
   def create
-    @group = current_user.own_groups.new params[:group]
+    @group = current_user.own_groups.new
+    @group.assign_attributes(group_params)
     create_subject @group
   end
 
@@ -49,6 +50,10 @@ class Api::V1::GroupsController < Api::V1::BaseController
 
   private
 
+  def group_params
+    subject_params(Group, @group)
+  end
+
   # Private: before_action hook which loads Group.
   def load_group
     @group = Group.find params[:id]

app/controllers/api/v1/issues_controller.rb

@@ -44,20 +44,14 @@ class Api::V1::IssuesController < Api::V1::BaseController
   end
 
   def create
-    @issue      = @project.issues.new(params[:issue])
+    @issue      = @project.issues.new
+    @issue.assign_attributes subject_params(Issue, @issue)
     @issue.user = current_user
-    @issue.assignee = nil unless policy(@project).write?
     create_subject @issue
   end
 
   def update
-    unless policy(@project).write?
+    @issue.labelings.destroy_all if params[:update_labels] && policy(@project).write?
-      params.delete :update_labels
-      [:assignee_id, :labelings, :labelings_attributes].each do |k|
-        params[:issue].delete k
-      end if params[:issue]
-    end
-    @issue.labelings.destroy_all if params[:update_labels]
     if params[:issue] && status = params[:issue].delete(:status)
       @issue.set_close(current_user) if status == 'closed'
       @issue.set_open if status == 'open'

app/controllers/api/v1/platforms_controller.rb

@@ -32,17 +32,17 @@ class Api::V1::PlatformsController < Api::V1::BaseController
   end
 
   def create
-    platform_params = params[:platform] || {}
+    pp = params[:platform] || {}
-    owner = User.where(id: platform_params[:owner_id]).first
+    owner = User.find_by(id: pp[:owner_id])
-    @platform       = Platform.new platform_params
+    @platform       = Platform.new(platform_params)
     @platform.owner = owner || get_owner
     create_subject @platform
   end
 
   def update
-    platform_params = params[:platform] || {}
+    pp = params[:platform] || {}
-    owner = User.where(id: platform_params[:owner_id]).first
+    owner = User.find_by(id: pp[:owner_id])
-    platform_params[:owner] = owner if owner
+    pp[:owner] = owner if owner
     update_subject @platform
   end
 
@@ -80,6 +80,10 @@ class Api::V1::PlatformsController < Api::V1::BaseController
 
   private
 
+  def platform_params
+    subject_params(Platform)
+  end
+
   # Private: before_action hook which loads Platform.
   def load_platform
     authorize @platform = Platform.find(params[:id])

app/controllers/api/v1/product_build_lists_controller.rb

@@ -17,10 +17,10 @@ class Api::V1::ProductBuildListsController < Api::V1::BaseController
   end
 
   def create
-    @product_build_list = ProductBuildList.new(params[:product_build_list])
+    @product_build_list = ProductBuildList.new subject_params(ProductBuildList)
-    @product_build_list.project ||= @product_build_list.try(:product).try(:project)
+    @product_build_list.project     ||= @product_build_list.try(:product).try(:project)
     @product_build_list.main_script ||= @product_build_list.try(:product).try(:main_script)
-    @product_build_list.params ||= @product_build_list.try(:product).try(:params)
+    @product_build_list.params      ||= @product_build_list.try(:product).try(:params)
     @product_build_list.time_living ||= @product_build_list.try(:product).try(:time_living)
     create_subject @product_build_list
   end

app/controllers/api/v1/products_controller.rb

@@ -5,7 +5,7 @@ class Api::V1::ProductsController < Api::V1::BaseController
   before_action :load_product, except: :create
 
   def create
-    create_subject @product = Product.new(params[:product])
+    create_subject @product = Product.new(subject_params(Product))
   end
 
   def update

app/controllers/api/v1/projects_controller.rb

@@ -31,7 +31,7 @@ class Api::V1::ProjectsController < Api::V1::BaseController
   end
 
   def create
-    @project   = Project.new(params[:project])
+    @project   = Project.new subject_params(Project)
     p_params   = params[:project] || {}
     owner_type = %w(User Group).find{ |t| t == p_params[:owner_type] }
     if owner_type.present?

app/controllers/api/v1/pull_requests_controller.rb

@@ -76,7 +76,7 @@ class Api::V1::PullRequestsController < Api::V1::BaseController
     authorize @pull
 
     if pull_params.present?
-      attrs = pull_params.slice(:title, :body)
+      attrs = subject_params(PullRequest)
       attrs.merge!(assignee_id: pull_params[:assignee_id]) if policy(@project).write?
 
       if action = %w(close reopen).find{ |s| s == pull_params[:status] }

app/controllers/api/v1/repositories_controller.rb

@@ -97,8 +97,9 @@ class Api::V1::RepositoriesController < Api::V1::BaseController
   def signatures
     key_pair = @repository.key_pair
     key_pair.destroy if key_pair
-    key_pair = @repository.build_key_pair(params[:repository])
+    key_pair = @repository.build_key_pair subject_params(Repository, KeyPair)
     key_pair.user_id = current_user.id
+    authorize key_pair, :create?
     if key_pair.save
       render_json_response @repository, 'Signatures have been updated for repository successfully'
     else

app/controllers/api/v1/users_controller.rb

@@ -16,7 +16,7 @@ class Api::V1::UsersController < Api::V1::BaseController
   def update
     user_params = params[:user] || {}
     send_confirmation = user_params[:email] != @user.email
-    if @user.update_without_password(user_params)
+    if @user.update_without_password(subject_params(User))
       if send_confirmation
         @user.confirmed_at, @user.confirmation_sent_at = nil
         @user.send_confirmation_instructions
@@ -29,7 +29,7 @@ class Api::V1::UsersController < Api::V1::BaseController
 
   def notifiers
     if request.put?
-      if @user.notifier.update_attributes(params[:notifiers])
+      if @user.notifier.update_attributes(notifier_params)
         render_json_response @user, 'User notification settings have been updated successfully'
       else
         render_json_response @user, error_message(@user.notifier, 'User notification settings have not been updated'), 422
@@ -39,6 +39,10 @@ class Api::V1::UsersController < Api::V1::BaseController
 
   protected
 
+  def notifier_params
+    permit_params(:notifiers, *policy(SettingsNotifier).permitted_attributes)
+  end
+
   def set_current_user
     authorize @user = current_user
   end

app/controllers/concerns/strong_params.rb

@@ -4,6 +4,13 @@ module StrongParams
   protected
 
   def permit_params(param_name, *accessible)
-    (params[param_name] || ActionController::Parameters.new).permit(*accessible.flatten)
+    [param_name].flatten.inject(params.dup) do |pp, name|
+      pp = pp[name] || ActionController::Parameters.new
+    end.permit(*accessible.flatten)
+  end
+
+
+  def subject_params(subject_class, subject = nil)
+    permit_params(subject_class.name.underscore.to_sym, *policy(subject || subject_class).permitted_attributes)
   end
 end

app/controllers/contacts_controller.rb

@@ -6,7 +6,7 @@ class ContactsController < ApplicationController
   end
 
   def create
-    @form = Feedback.new(params[:feedback])
+    @form = Feedback.new(feedback_params)
     if @form.perform_send
       flash[:notice] = I18n.t("flash.contact.success")
       redirect_to sended_contact_path
@@ -19,4 +19,10 @@ class ContactsController < ApplicationController
   def sended
   end
 
+  private
+
+  def feedback_params
+    params[:feedback].permit(:name, :email, :subject, :message)
+  end
+
 end

app/controllers/groups/profile_controller.rb

@@ -43,7 +43,9 @@ class Groups::ProfileController < Groups::BaseController
   end
 
   def create
-    authorize @group = current_user.own_groups.build(params[:group])
+    @group = current_user.own_groups.new
+    @group.assign_attributes(group_params)
+    authorize @group
     if @group.save
       flash[:notice] = t('flash.group.saved')
       redirect_to group_path(@group)
@@ -56,7 +58,7 @@ class Groups::ProfileController < Groups::BaseController
 
   def update
     authorize @group
-    if @group.update_attributes(params[:group])
+    if @group.update_attributes(group_params)
       update_avatar(@group, params)
       flash[:notice] = t('flash.group.saved')
       redirect_to group_path(@group)
@@ -81,6 +83,10 @@ class Groups::ProfileController < Groups::BaseController
 
   protected
 
+  def group_params
+    subject_params(Group, @group)
+  end
+
   def paginate_projects(page)
     @projects.paginate(page: (page>0 ? page : nil), per_page: 24)
   end

app/controllers/platforms/key_pairs_controller.rb

@@ -6,7 +6,7 @@ class Platforms::KeyPairsController < Platforms::BaseController
   end
 
   def create
-    @key_pair         = KeyPair.new params[:key_pair]
+    @key_pair         = KeyPair.new subject_params(KeyPair)
     @key_pair.user_id = current_user.id
     authorize @key_pair
     if @key_pair.save

app/controllers/platforms/mass_builds_controller.rb

@@ -22,7 +22,7 @@ class Platforms::MassBuildsController < Platforms::BaseController
   end
 
   def create
-    @mass_build                 = @platform.mass_builds.build(params[:mass_build])
+    @mass_build                 = @platform.mass_builds.build(subject_params(MassBuild))
     @mass_build.user            = current_user
     @mass_build.arches          = params[:arches] || []
     @mass_build.repositories  ||= params[:repositories] || []

app/controllers/platforms/platforms_controller.rb

@@ -33,7 +33,7 @@ class Platforms::PlatformsController < Platforms::BaseController
   end
 
   def create
-    authorize @platform = Platform.new(params[:platform])
+    authorize @platform = Platform.new(platform_params)
     @admin_id    = params[:admin_id]
     @admin_uname = params[:admin_uname]
     # FIXME: do not allow manipulate owner model, only platforms onwer_id and onwer_type
@@ -53,13 +53,12 @@ class Platforms::PlatformsController < Platforms::BaseController
     @admin_id = params[:admin_id]
     @admin_uname = params[:admin_uname]
 
-    platform_params = params[:platform] || {}
+    pp = platform_params
-    platform_params = platform_params.slice(:description, :platform_arch_settings_attributes, :released, :automatic_metadata_regeneration, :default_branch)
+    pp[:owner] = User.find(@admin_id) if @admin_id.present?
-    platform_params[:owner] = User.find(@admin_id) if @admin_id.present?
 
     respond_to do |format|
       format.html do
-        if @platform.update_attributes(platform_params)
+        if @platform.update_attributes(pp)
           flash[:notice] = I18n.t("flash.platform.saved")
           redirect_to @platform
         else
@@ -68,7 +67,7 @@ class Platforms::PlatformsController < Platforms::BaseController
         end
       end
       format.json do
-        if @platform.update_attributes(platform_params)
+        if @platform.update_attributes(pp)
           render json: { notice: I18n.t("flash.platform.saved") }.to_json
         else
           render json: { error: I18n.t("flash.platform.save_error") }.to_json, status: 422
@@ -108,7 +107,7 @@ class Platforms::PlatformsController < Platforms::BaseController
 
   def make_clone
     authorize @platform
-    @cloned = @platform.full_clone params[:platform].merge(owner: current_user)
+    @cloned = @platform.full_clone platform_params.merge(owner: current_user)
     if @cloned.persisted?
       flash[:notice] = I18n.t("flash.platform.clone_success")
       redirect_to @cloned
@@ -165,6 +164,10 @@ class Platforms::PlatformsController < Platforms::BaseController
 
   private
 
+  def platform_params
+    subject_params(Platform)
+  end
+
   # Private: before_action hook which loads Platform.
   def load_platform
     authorize @platform = Platform.find_cached(params[:id]), :show? if params[:id]

app/controllers/platforms/product_build_lists_controller.rb

@@ -47,7 +47,7 @@ class Platforms::ProductBuildListsController < Platforms::BaseController
   end
 
   def create
-    pbl = @product.product_build_lists.new params[:product_build_list]
+    pbl = @product.product_build_lists.new product_build_list_params
     pbl.project = @product.project
     pbl.user = current_user
     pbl.base_url = "http://#{request.host_with_port}"
@@ -93,6 +93,10 @@ class Platforms::ProductBuildListsController < Platforms::BaseController
 
   protected
 
+  def product_build_list_params
+    subject_params(ProductBuildList)
+  end
+
   def redirect_to_full_path_if_short_url
     if params[:platform_id].blank? || params[:product_id].blank?
       pbl               = ProductBuildList.find params[:id]

app/controllers/platforms/products_controller.rb

@@ -19,7 +19,7 @@ class Platforms::ProductsController < Platforms::BaseController
   end
 
   def create
-    authorize @product = @platform.products.build(params[:product])
+    authorize @product = @platform.products.build(product_params)
     if @product.save
       flash[:notice] = t('flash.product.saved')
       redirect_to platform_product_path(@platform, @product)
@@ -31,7 +31,7 @@ class Platforms::ProductsController < Platforms::BaseController
   end
 
   def update
-    if @product.update_attributes(params[:product])
+    if @product.update_attributes(product_params)
       flash[:notice] = t('flash.product.saved')
       redirect_to platform_product_path(@platform, @product)
     else
@@ -61,6 +61,10 @@ class Platforms::ProductsController < Platforms::BaseController
 
   private
 
+  def product_params
+    subject_params(Product)
+  end
+
   # Private: before_action hook which loads Product.
   def load_product
     authorize @product = Product.find(params[:id])

app/controllers/platforms/repositories_controller.rb

@@ -25,7 +25,7 @@ class Platforms::RepositoriesController < Platforms::BaseController
 
   def update
     authorize @repository
-    if @repository.update_attributes params[:repository].slice(:description, :synchronizing_publications, :publish_builds_only_from_branch).merge(publish_without_qa: (params[:repository][:publish_without_qa] || @repository.publish_without_qa))
+    if @repository.update_attributes(repository_params)
       flash[:notice] = I18n.t("flash.repository.updated")
       redirect_to platform_repository_path(@platform, @repository)
     else
@@ -67,7 +67,7 @@ class Platforms::RepositoriesController < Platforms::BaseController
   end
 
   def create
-    authorize @repository = @platform.repositories.build(params[:repository])
+    authorize @repository = @platform.repositories.build(repository_params)
     if @repository.save
       flash[:notice] = t('flash.repository.saved')
       redirect_to platform_repository_path(@platform, @repository)
@@ -175,6 +175,10 @@ class Platforms::RepositoriesController < Platforms::BaseController
 
   protected
 
+  def repository_params
+    subject_params(Repository)
+  end
+
   # Private: before_action hook which loads Repository.
   def load_repository
     authorize @repository = @platform.repositories.find(params[:id])

app/controllers/platforms/tokens_controller.rb

@@ -27,7 +27,7 @@ class Platforms::TokensController < Platforms::BaseController
   end
 
   def create
-    @token = @platform.tokens.build params[:token]
+    @token = @platform.tokens.build token_params
     @token.creator = current_user
     authorize @token
     if @token.save
@@ -42,6 +42,10 @@ class Platforms::TokensController < Platforms::BaseController
 
   protected
 
+  def token_params
+    subject_params(Token)
+  end
+
   # Private: before_action hook which loads Repository.
   def load_token
     authorize @token = @platform.tokens.find(params[:id])

app/controllers/projects/build_lists_controller.rb

@@ -52,21 +52,20 @@ class Projects::BuildListsController < Projects::BaseController
   def create
     notices, errors = [], []
 
-    @repository = Repository.find params[:build_list][:save_to_repository_id]
+    @repository = Repository.find build_list_params[:save_to_repository_id]
-    @platform = @repository.platform
+    @platform   = @repository.platform
 
-    params[:build_list][:save_to_platform_id] = @platform.id
+    build_lists         = []
-
+    build_for_platforms = Platform.joins(:repositories).where(repositories: { id: build_list_params[:include_repos] }).uniq
-    build_for_platforms = Repository.select(:platform_id).
-      where(id: params[:build_list][:include_repos]).group(:platform_id).map(&:platform_id)
-
-    build_lists = []
     Arch.where(id: params[:arches]).each do |arch|
-      Platform.main.where(id: build_for_platforms).each do |build_for_platform|
+      build_for_platforms.find_each do |build_for_platform|
-        @build_list = @project.build_lists.build(params[:build_list])
+        @build_list                    = @project.build_lists.build(build_list_params)
-        @build_list.build_for_platform = build_for_platform; @build_list.arch = arch; @build_list.user = current_user
+        @build_list.save_to_platform   = @platform
-        @build_list.include_repos = @build_list.include_repos.select {|ir| @build_list.build_for_platform.repository_ids.include? ir.to_i}
+        @build_list.build_for_platform = build_for_platform
-        @build_list.priority = current_user.build_priority # User builds more priority than mass rebuild with zero priority
+        @build_list.arch               = arch
+        @build_list.user               = current_user
+        @build_list.include_repos      = @build_list.include_repos.select {|ir| @build_list.build_for_platform.repository_ids.include? ir.to_i}
+        @build_list.priority           = current_user.build_priority # User builds more priority than mass rebuild with zero priority
 
         flash_options = { project_version: @build_list.project_version, arch: arch.name, build_for_platform: build_for_platform.name }
         authorize @build_list
@@ -105,12 +104,12 @@ class Projects::BuildListsController < Projects::BaseController
 
       if params[:attach_advisory] == 'new'
         # create new advisory
-        unless @build_list.associate_and_create_advisory(params[:build_list][:advisory])
+        unless @build_list.associate_and_create_advisory(advisory_params)
           redirect_to :back, notice: t('layout.build_lists.publish_fail') and return
         end
       else
         # attach existing advisory
-        a = Advisory.where(advisory_id: params[:attach_advisory]).first
+        a = Advisory.find_by(advisory_id: params[:attach_advisory])
         unless (a && a.attach_build_list(@build_list))
           redirect_to :back, notice: t('layout.build_lists.publish_fail') and return
         end
@@ -206,6 +205,14 @@ class Projects::BuildListsController < Projects::BaseController
 
   protected
 
+  def build_list_params
+    subject_params(BuildList)
+  end
+
+  def advisory_params
+    permit_params(%i(build_list advisory), *policy(Advisory).permitted_attributes)
+  end
+
   # Private: before_action hook which loads BuidList.
   def load_build_list
     authorize @build_list =
@@ -228,14 +235,14 @@ class Projects::BuildListsController < Projects::BaseController
     build_list = @project.build_lists.find(params[:build_list_id])
 
     params[:build_list] ||= {}
-    keys = [
+    policy(BuildList).permitted_attributes.each do |key|
-      :save_to_repository_id, :auto_publish_status, :include_repos,
+      params[:build_list][key] =
-      :extra_params, :project_version, :update_type, :auto_create_container,
+        if build_list.respond_to?(key)
-      :extra_repositories, :extra_build_lists, :build_for_platform_id,
+          build_list.send(key)
-      :use_cached_chroot, :use_extra_tests, :save_buildroot,
+        elsif build_list.respond_to?("#{key}?")
-      :include_testing_subrepository, :external_nodes
+          build_list.send("#{key}?")
-    ]
+        end
-    keys.each { |key| params[:build_list][key] = build_list.send(key) }
+    end
     params[:arches] = [build_list.arch_id]
     [:owner_filter, :status_filter].each { |t| params[t] = 'true' if %w(true undefined).exclude? params[t] }
   end

app/controllers/projects/collaborators_controller.rb

@@ -24,7 +24,7 @@ class Projects::CollaboratorsController < Projects::BaseController
   end
 
   def create
-    @collaborator = Collaborator.new(params[:collaborator])
+    @collaborator = Collaborator.new(collaborator_params)
     @collaborator.project = @project
     respond_to do |format|
       if @collaborator.save
@@ -62,6 +62,10 @@ class Projects::CollaboratorsController < Projects::BaseController
 
   protected
 
+  def collaborator_params
+    subject_params(Collaborator)
+  end
+
   def find_users
     @users = @project.collaborators.order('uname')#User.all
     @users = @users.without(@project.owner_id) if @project.owner_type == 'User'

app/controllers/projects/comments_controller.rb

@@ -27,7 +27,7 @@ class Projects::CommentsController < Projects::BaseController
 
   def update
     respond_to do |format|
-      if @comment.update_attributes(params[:comment])
+      if @comment.update_attributes(comment_params)
         format.json { render json: {message:t('flash.comment.updated'), body: view_context.markdown(@comment.body)} }
       else
         format.json { render json: {message:t('flash.comment.error_in_updating')}, status: 422 }
@@ -48,6 +48,10 @@ class Projects::CommentsController < Projects::BaseController
 
   protected
 
+  def comment_params
+    subject_params(Comment)
+  end
+
   def find_commentable
     @commentable = params[:issue_id].present? && @project.issues.find_by(serial_id: params[:issue_id]) ||
                    params[:commit_id].present? && @project.repo.commit(params[:commit_id])
@@ -55,7 +59,7 @@ class Projects::CommentsController < Projects::BaseController
 
   def find_or_build_comment
     @comment = params[:id].present? && Comment.where(automatic: false).find(params[:id]) ||
-               current_user.comments.build(params[:comment]) {|c| c.commentable = @commentable; c.project = @project}
+               current_user.comments.build(comment_params) {|c| c.commentable = @commentable; c.project = @project}
     authorize @comment
   end
 end

app/controllers/projects/hooks_controller.rb

@@ -17,7 +17,7 @@ class Projects::HooksController < Projects::BaseController
   end
 
   def create
-    authorize @hook = @project.hooks.build(params[:hook])
+    authorize @hook = @project.hooks.build(hook_params)
     if @hook.save
       redirect_to project_hooks_path(@project, name: @hook.name), notice: t('flash.hook.created')
     else
@@ -28,7 +28,7 @@ class Projects::HooksController < Projects::BaseController
   end
 
   def update
-    if @hook.update_attributes(params[:hook])
+    if @hook.update_attributes(hook_params)
       redirect_to project_hooks_path(@project, name: @hook.name), notice: t('flash.hook.updated')
     else
       flash[:error] = t('flash.hook.save_error')
@@ -44,6 +44,10 @@ class Projects::HooksController < Projects::BaseController
 
   private
 
+  def hook_params
+    subject_params(Hook)
+  end
+
   # Private: before_action hook which loads Hook.
   def load_hook
     authorize @hook = @project.hooks.find(params[:id])

app/controllers/projects/issues_controller.rb

@@ -79,13 +79,10 @@ class Projects::IssuesController < Projects::BaseController
   end
 
   def create
-    @issue         = @project.issues.build(params[:issue])
+    @issue      = @project.issues.new
-    @issue.user_id = current_user.id
+    @issue.assign_attributes(issue_params)
+    @issue.user = current_user
 
-    unless policy(@project).write?
-      @issue.assignee_id  = nil
-      @issue.labelings    = []
-    end
     authorize @issue
     if @issue.save
       @issue.subscribe_creator(current_user.id)
@@ -108,19 +105,12 @@ class Projects::IssuesController < Projects::BaseController
 
       format.json {
         status = 200
-        unless policy(@project).write?
-          params.delete :update_labels
-          [:assignee_id, :labelings, :labelings_attributes].each do |k|
-            params[:issue].delete k
-          end if params[:issue]
-        end
-
         if params[:issue] && status = params[:issue][:status]
           @issue.set_close(current_user) if status == 'closed'
           @issue.set_open if status == 'open'
           status = @issue.save ? 200 : 500
         else
-          status = 422 unless @issue.update_attributes(params[:issue])
+          status = 422 unless @issue.update_attributes(issue_params)
         end
         render status: status
       }
@@ -169,6 +159,10 @@ class Projects::IssuesController < Projects::BaseController
 
   private
 
+  def issue_params
+    subject_params(Issue, @issue)
+  end
+
   # Private: before_action hook which loads Issue.
   def load_issue
     authorize @issue = @project.issues.find_by!(serial_id: params[:id])

app/controllers/projects/projects_controller.rb

@@ -34,7 +34,7 @@ class Projects::ProjectsController < Projects::BaseController
   end
 
   def run_mass_import
-    @project = Project.new params[:project]
+    @project = Project.new project_params
     @project.owner = choose_owner
     authorize @project
     @project.valid?
@@ -54,7 +54,7 @@ class Projects::ProjectsController < Projects::BaseController
   end
 
   def create
-    @project = Project.new params[:project]
+    @project = Project.new project_params
     @project.owner = choose_owner
     authorize @project
 
@@ -73,18 +73,17 @@ class Projects::ProjectsController < Projects::BaseController
     params[:project].delete(:maintainer_id) if params[:project][:maintainer_id].blank?
     respond_to do |format|
       format.html do
-        if @project.update_attributes(params[:project])
+        if @project.update_attributes(project_params)
           flash[:notice] = t('flash.project.saved')
           redirect_to @project
         else
-          @project.save
           flash[:error] = t('flash.project.save_error')
           flash[:warning] = @project.errors.full_messages.join('. ')
           render action: :edit
         end
       end
       format.json do
-        if @project.update_attributes(params[:project])
+        if @project.update_attributes(project_params)
           render json: { notice: I18n.t('flash.project.saved') }
         else
           render json: { error: I18n.t('flash.project.save_error') }, status: 422
@@ -95,7 +94,7 @@ class Projects::ProjectsController < Projects::BaseController
 
   def schedule
     authorize @project
-    p_to_r = @project.project_to_repositories.where(repository_id: params[:repository_id]).first
+    p_to_r = @project.project_to_repositories.find_by(repository_id: params[:repository_id])
     unless p_to_r.repository.publish_without_qa
       authorize p_to_r.repository.platform, :local_admin_manage?
     end
@@ -143,7 +142,7 @@ class Projects::ProjectsController < Projects::BaseController
   def sections
     authorize @project, :update?
     if request.patch?
-      if @project.update_attributes(params[:project])
+      if @project.update_attributes(project_params)
         flash[:notice] = t('flash.project.saved')
         redirect_to sections_project_path(@project)
       else
@@ -192,6 +191,10 @@ class Projects::ProjectsController < Projects::BaseController
 
   protected
 
+  def project_params
+    subject_params(Project)
+  end
+
   def who_owns
     @who_owns = (@project.try(:owner_type) == 'User' ? :me : :group)
   end

app/controllers/projects/pull_requests_controller.rb

@@ -34,7 +34,7 @@ class Projects::PullRequestsController < Projects::BaseController
     to_project = find_destination_project
     authorize to_project, :show?
 
-    @pull  = to_project.pull_requests.new pull_params
+    @pull  = to_project.pull_requests.build pull_params
     @issue = @pull.issue
     @pull.issue.assignee_id = (params[:issue] || {})[:assignee_id] if policy(to_project).write?
     @pull.issue.user, @pull.issue.project, @pull.from_project = current_user, to_project, @project
@@ -131,7 +131,7 @@ class Projects::PullRequestsController < Projects::BaseController
   end
 
   def pull_params
-    @pull_params ||= params[:pull_request].presence
+    @pull_params ||= subject_params(PullRequest).presence
   end
 
   def json_for_autocomplete_base items

app/controllers/users/settings_controller.rb

@@ -7,7 +7,7 @@ class Users::SettingsController < Users::BaseController
   def profile
     if request.patch?
       send_confirmation = params[:user][:email] != @user.email
-      if @user.update_without_password(params[:user])
+      if @user.update_without_password(user_params)
         update_avatar(@user, params)
         if send_confirmation
           @user.confirmed_at = @user.confirmation_sent_at = nil
@@ -29,7 +29,7 @@ class Users::SettingsController < Users::BaseController
 
   def private
     if request.patch?
-      if @user.update_with_password(params[:user])
+      if @user.update_with_password(user_params)
         flash[:notice] = t('flash.user.saved')
         redirect_to private_settings_path and return
       end
@@ -40,7 +40,7 @@ class Users::SettingsController < Users::BaseController
 
   def notifiers
     if request.patch?
-      if @user.notifier.update_attributes(params[:settings_notifier])
+      if @user.notifier.update_attributes(settings_notifier_params)
         flash[:notice] = I18n.t("flash.settings.saved")
         redirect_to notifiers_settings_path and return
       end
@@ -51,7 +51,7 @@ class Users::SettingsController < Users::BaseController
   def builds_settings
     @user.builds_setting ||= @user.build_builds_setting
     if request.patch?
-      if @user.builds_setting.update_attributes(params[:user_builds_setting])
+      if @user.builds_setting.update_attributes(user_builds_setting_params)
         flash[:notice] = I18n.t("flash.settings.saved")
         redirect_to builds_settings_settings_path and return
       end
@@ -59,4 +59,18 @@ class Users::SettingsController < Users::BaseController
     end
   end
 
+  private
+
+  def settings_notifier_params
+    subject_params(SettingsNotifier)
+  end
+
+  def user_params
+    subject_params(User)
+  end
+
+  def user_builds_setting_params
+    subject_params(UserBuildsSetting)
+  end
+
 end

app/controllers/users/ssh_keys_controller.rb

@@ -8,7 +8,7 @@ class Users::SshKeysController < Users::BaseController
   end
 
   def create
-    @ssh_key = current_user.ssh_keys.new params[:ssh_key]
+    @ssh_key = current_user.ssh_keys.new ssh_key_params
 
     if @ssh_key.save
       flash[:notice] = t 'flash.ssh_keys.saved'
@@ -29,4 +29,10 @@ class Users::SshKeysController < Users::BaseController
     redirect_to ssh_keys_path
   end
 
+  private
+
+  def ssh_key_params
+    subject_params(SshKey)
+  end
+
 end

app/models/activity_feed.rb

@@ -9,8 +9,6 @@ class ActivityFeed < ActiveRecord::Base
   belongs_to :creator, class_name: 'User'
   serialize  :data
 
-  attr_accessible :user, :kind, :data, :project_owner, :project_name, :creator_id
-
   default_scope { order created_at: :desc }
   scope :outdated,        -> { offset(1000) }
   scope :by_project_name, ->(name)  { where(project_name: name)   if name.present?  }

app/models/advisory.rb

@@ -12,8 +12,6 @@ class Advisory < ActiveRecord::Base
   after_create :generate_advisory_id
   before_save  :normalize_references, if: :references_changed?
 
-  attr_accessible :description, :references
-
   ID_TEMPLATE        = 'ROSA-%<type>s-%<year>d:%<id>04d'
   ID_STRING_TEMPLATE = 'ROSA-%<type>s-%<year>04s:%<id>04s'
   TYPES = {'security' => 'SA', 'bugfix' => 'A'}

app/models/avatar.rb

@@ -15,6 +15,4 @@ class Avatar < ActiveRecord::Base
   validates_attachment_size :avatar, less_than_or_equal_to: MAX_AVATAR_SIZE
   validates_attachment_content_type :avatar, content_type: /\Aimage/
   validates_attachment_file_name :avatar, matches: [ /(png|jpe?g|gif|bmp|tif?f)\z/i ]
-
-  attr_accessible :avatar
 end

app/models/build_list.rb

@@ -88,13 +88,6 @@ class BuildList < ActiveRecord::Base
   before_validation :prepare_extra_params,        on: :create
   before_validation :prepare_auto_publish_status, on: :create
 
-  attr_accessible :include_repos, :auto_publish, :build_for_platform_id, :commit_hash,
-                  :arch_id, :project_id, :save_to_repository_id, :update_type,
-                  :save_to_platform_id, :project_version, :auto_create_container,
-                  :extra_repositories, :extra_build_lists, :extra_params,
-                  :include_testing_subrepository, :auto_publish_status,
-                  :use_cached_chroot, :use_extra_tests, :save_buildroot
-
   LIVE_TIME     = 4.week  # for unpublished
   MAX_LIVE_TIME = 3.month # for published
   STATUSES, HUMAN_STATUSES = [], {}

app/models/build_list/item.rb

@@ -2,7 +2,7 @@ class BuildList::Item < ActiveRecord::Base
 
   belongs_to :build_list, touch: true
 
-  attr_protected :build_list_id
+  # attr_protected :build_list_id
 
   GIT_ERROR = 5
 

app/models/build_list/package.rb

@@ -7,8 +7,6 @@ class BuildList::Package < ActiveRecord::Base
 
   serialize :dependent_packages, Array
 
-  attr_accessible :fullname, :name, :release, :version, :sha1, :epoch, :dependent_packages
-
   validates :build_list, :build_list_id, :project, :project_id,
             :platform, :platform_id, :fullname,
             :package_type, :name, :release, :version,

app/models/build_script.rb

@@ -18,7 +18,6 @@ class BuildScript < ActiveRecord::Base
 
   before_validation :attach_project
   attr_writer       :project_name
-  attr_accessible   :project_name, :treeish, :commit, :sha1, :status
 
   state_machine :status, initial: :active do
     event(:disable) { transition active: :blocked }

app/models/collaborator.rb

@@ -2,14 +2,11 @@ class Collaborator
   include ActiveModel::Conversion
   include ActiveModel::Validations
   include ActiveModel::Serializers::JSON
-  include ActiveModel::MassAssignmentSecurity
   extend  ActiveModel::Naming
 
   attr_accessor :role, :actor, :project, :relation
   attr_reader :id, :actor_id, :actor_type, :actor_name, :project_id
 
-  attr_accessible :role
-
   delegate :new_record?, to: :relation
 
   class << self
@@ -56,7 +53,7 @@ class Collaborator
   end
 
   def update_attributes(attributes, options = {})
-    sanitize_for_mass_assignment(attributes, options[:as]).each_pair do |k, v|
+    attributes.each_pair do |k, v|
       send("#{k}=", v)
     end
     save

app/models/comment.rb

@@ -22,8 +22,6 @@ class Comment < ActiveRecord::Base
   after_create :subscribe_on_reply, unless: ->(c) { c.commit_comment? }
   after_create :subscribe_users
 
-  attr_accessible :body, :data
-
   def commentable
     commit_comment? ? project.repo.commit(Comment.hex_to_commit_hash commentable_id) : super
   end

app/models/concerns/autostart.rb

@@ -15,8 +15,6 @@ module Autostart
   included do
     validates :autostart_status, numericality: true,
       inclusion: {in: AUTOSTART_STATUSES}, allow_blank: true
-
-    attr_accessible :autostart_status
   end
 
   def human_autostart_status

app/models/concerns/build_list_observer.rb

@@ -37,7 +37,7 @@ module BuildListObserver
           end
           build_count = statistic.build_count.to_i
           new_av_time = ( statistic.average_build_time * build_count + duration.to_i ) / ( build_count + 1 )
-          statistic.update_attributes({average_build_time: new_av_time, build_count: build_count + 1}, without_protection: true)
+          statistic.update_attributes(average_build_time: new_av_time, build_count: build_count + 1)
         end
       end
     end

app/models/concerns/default_branchable.rb

@@ -4,8 +4,6 @@ module DefaultBranchable
   included do
     validates :default_branch,
               length:     { maximum: 100 }
-
-    attr_accessible :default_branch
   end
 
 end

app/models/concerns/external_nodable.rb

@@ -7,9 +7,6 @@ module ExternalNodable
     validates :external_nodes,
               inclusion:              { in: EXTERNAL_NODES },
               allow_blank:            true
-
-
-    attr_accessible :external_nodes
   end
 
 end

app/models/concerns/feed/comment.rb

@@ -17,22 +17,20 @@ module Feed::Comment
         if can_notify_on_new_comment?(subscribe)
           UserMailer.new_comment_notification(self, subscribe.user_id).deliver unless own_comment?(subscribe.user)
           ActivityFeed.create(
-            {
+            user_id:           subscribe.user_id,
-              user_id:           subscribe.user_id,
+            kind:              'new_comment_notification',
-              kind:              'new_comment_notification',
+            project_owner:     project.owner_uname,
-              project_owner:     project.owner_uname,
+            project_name:      project.name,
-              project_name:      project.name,
+            creator_id:        user_id,
-              creator_id:        user_id,
+            data: {
-              data: {
+              creator_name:    user.name,
-                creator_name:    user.name,
+              creator_email:   user.email,
-                creator_email:   user.email,
+              comment_body:    body.truncate(100, omission: '…'),
-                comment_body:    body.truncate(100, omission: '…'),
+              issue_title:     commentable.title,
-                issue_title:     commentable.title,
+              issue_serial_id: commentable.serial_id,
-                issue_serial_id: commentable.serial_id,
+              project_id:      commentable.project.id,
-                project_id:      commentable.project.id,
+              comment_id:      id
-                comment_id:      id
+            }
-              }
-            }, without_protection: true
           )
         end
       end
@@ -46,23 +44,21 @@ module Feed::Comment
           UserMailer.new_comment_notification(self, subscribe.user_id).deliver
         end
         ActivityFeed.create(
-          {
+          user_id:          subscribe.user_id,
-            user_id:          subscribe.user_id,
+          kind:             'new_comment_commit_notification',
-            kind:             'new_comment_commit_notification',
+          project_owner:    project.owner_uname,
-            project_owner:    project.owner_uname,
+          project_name:     project.name,
-            project_name:     project.name,
+          creator_id:       user_id,
-            creator_id:       user_id,
+          data:     {
-            data:     {
+            creator_name:   user.name,
-              creator_name:   user.name,
+            creator_email:  user.email,
-              creator_email:  user.email,
 
-              comment_body:   body.truncate(100, omission: '…'),
+            comment_body:   body.truncate(100, omission: '…'),
-              commit_message: commentable.message.truncate(70, omission: '…'),
+            commit_message: commentable.message.truncate(70, omission: '…'),
-              commit_id:      commentable.id,
+            commit_id:      commentable.id,
-              project_id:     project.id,
+            project_id:     project.id,
-              comment_id:     id
+            comment_id:     id
-            }
+          }
-          }, without_protection: true
         )
       end
     end

app/models/concerns/product_build_lists/statusable.rb

@@ -41,8 +41,6 @@ module ProductBuildLists::Statusable
       presence:       true,
       inclusion:      { in: STATUSES }
 
-    attr_accessible :status
-
     before_destroy :can_destroy?
 
     state_machine :status, initial: :build_pending do

app/models/concerns/time_living.rb

@@ -18,7 +18,6 @@ module TimeLiving
     }
 
     before_validation :convert_time_living
-    attr_accessible :time_living
   end
 
   protected

app/models/event_log.rb

@@ -12,7 +12,6 @@ class EventLog < ActiveRecord::Base
     self.eventable_name ||= eventable.name if eventable.respond_to?(:name)
   end
   # after_create { self.class.current_controller = nil }
-  attr_accessible :kind, :message, :eventable, :eventable_name
 
   class << self
     def create_with_current_controller(attributes)

app/models/feedback.rb

@@ -5,15 +5,12 @@ class Feedback
   include ActiveModel::Conversion
   include ActiveModel::Validations
   include ActiveModel::Serializers::JSON
-  include ActiveModel::MassAssignmentSecurity
   extend  ActiveModel::Naming
 
   self.include_root_in_json = false
 
   attr_accessor :name, :email, :subject, :message
 
-  attr_accessible :name, :email, :subject, :message
-
   validates :name, :subject, :message, presence: true
   validates :email, presence: true,
                     format: { with: /\A[^@]+@([^@\.]+\.)+[^@\.]+\z/,
@@ -24,7 +21,7 @@ class Feedback
     if args.respond_to? :name and args.respond_to? :email
       self.name, self.email = args.name, args.email
     elsif args.respond_to? :each_pair
-      sanitize_for_mass_assignment(args, options[:as]).each_pair do |k, v|
+      args.each_pair do |k, v|
         send("#{k}=", v)
       end
     else

app/models/flash_notify.rb

@@ -8,8 +8,6 @@ class FlashNotify < ActiveRecord::Base
   validates :status, inclusion: {in: STATUSES}
   validates :body_ru, :body_en, :status, presence: true
 
-  attr_accessible :body_ru, :body_en, :status, :published
-
   def hash_id
     @digest ||= Digest::MD5.hexdigest("#{self.id}-#{self.updated_at}")
   end

app/models/group.rb

@@ -32,7 +32,6 @@ class Group < Avatar
     joins(:actors).where('relations.role' => ['admin', 'writer'], 'relations.actor_id' => actor.id, 'relations.actor_type' => 'User')
   }
 
-  attr_accessible :uname, :description, :delete_avatar
   attr_readonly :uname
 
   attr_accessor :delete_avatar

app/models/hook.rb

@@ -9,8 +9,6 @@ class Hook < ActiveRecord::Base
   validates :project, :data, presence: true
   validates :name, presence: true, inclusion: {in: NAMES}
 
-  attr_accessible :data, :name
-
   serialize :data,  Hash
 
   scope :for_name, ->(name) { where(name: name) if name.present? }

app/models/issue.rb

@@ -47,9 +47,8 @@ class Issue < ActiveRecord::Base
   before_create :update_statistic
   before_update :update_statistic
 
-  attr_accessible :labelings_attributes, :title, :body, :assignee_id
   accepts_nested_attributes_for :labelings,
-    reject_if: lambda {|attributes| attributes['label_id'].blank?},
+    reject_if:     -> (attributes) { attributes['label_id'].blank? },
     allow_destroy: true
 
   scope :opened, -> { where(status: [STATUS_OPEN, STATUS_REOPEN]) }

app/models/key_pair.rb

@@ -4,7 +4,6 @@ class KeyPair < ActiveRecord::Base
   belongs_to :user
 
   attr_accessor :fingerprint
-  attr_accessible :public, :secret, :repository_id
   attr_encrypted :secret, key: APP_CONFIG['keys']['key_pair_secret_key']
 
   validates :repository, :user, presence: true

app/models/label.rb

@@ -8,6 +8,4 @@ class Label < ActiveRecord::Base
 
   validates :color, presence: true
   validates :color, format: { with: /\A([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})\z/, message: I18n.t('layout.issues.invalid_labels') }
-
-  attr_accessible :name, :color
 end

app/models/labeling.rb

@@ -1,6 +1,4 @@
 class Labeling < ActiveRecord::Base
   belongs_to :issue
   belongs_to :label
-
-  attr_accessible :id, :label_id
 end

app/models/mass_build.rb

@@ -45,10 +45,6 @@ class MassBuild < ActiveRecord::Base
   scope :search,      -> (q) { where("#{table_name}.description ILIKE ?", "%#{q}%") if q.present? }
 
   attr_accessor :arches, :repositories
-  attr_accessible :arches, :auto_publish_status, :projects_list, :build_for_platform_id,
-                  :extra_repositories, :extra_build_lists, :increase_release_tag,
-                  :use_cached_chroot, :use_extra_tests, :description, :extra_mass_builds,
-                  :include_testing_subrepository, :auto_create_container, :repositories
 
   validates :save_to_platform_id,
             :build_for_platform_id,

app/models/node_instruction.rb

@@ -23,8 +23,6 @@ class NodeInstruction < ActiveRecord::Base
     errors.add(:status, 'Can be only single active instruction for each node') if !disabled? && NodeInstruction.duplicate(id.to_i, user_id).exists?
   }
 
-  attr_accessible :instruction, :user_id, :output, :status
-
   state_machine :status, initial: :ready do
 
     after_transition(on: :restart) do |instruction, transition|

app/models/platform.rb

@@ -98,18 +98,6 @@ class Platform < ActiveRecord::Base
   after_destroy -> { remove_symlink_directory unless hidden? }
 
   accepts_nested_attributes_for :platform_arch_settings, allow_destroy: true
-  attr_accessible :name,
-                  :distrib_type,
-                  :parent_platform_id,
-                  :platform_type,
-                  :owner,
-                  :visibility,
-                  :description,
-                  :released,
-                  :platform_arch_settings_attributes,
-                  :automatic_metadata_regeneration,
-                  :admin_id,
-                  :term
 
   attr_accessor :admin_id, :term
 

app/models/platform_arch_setting.rb

@@ -15,6 +15,4 @@ class PlatformArchSetting < ActiveRecord::Base
 
   scope :by_arch,    ->(arch) { where(arch_id: arch) if arch.present? }
   scope :by_default, -> { where(default: true) }
-
-  attr_accessible :arch_id, :platform_id, :default
 end

app/models/product.rb

@@ -16,13 +16,6 @@ class Product < ActiveRecord::Base
 
   scope :recent, -> { order(:name) }
 
-  attr_accessible :name,
-                  :description,
-                  :project_id,
-                  :main_script,
-                  :params,
-                  :platform_id,
-                  :project_version
   attr_readonly :platform_id
 
   def full_clone(attrs = {})

app/models/product_build_list.rb

@@ -28,16 +28,6 @@ class ProductBuildList < ActiveRecord::Base
   validates :main_script, :params, length: { maximum: 255 }
 
   attr_accessor :base_url, :product_name
-  attr_accessible :base_url,
-                  :branch,
-                  :project_id,
-                  :main_script,
-                  :params,
-                  :project_version,
-                  :commit_hash,
-                  :product_id,
-                  :not_delete,
-                  :product_name
 
   attr_readonly :product_id
   serialize :results, Array

app/models/project.rb

@@ -62,10 +62,6 @@ class Project < ActiveRecord::Base
     errors.delete :project_to_repositories
   end
 
-  attr_accessible :name, :description, :visibility, :srpm, :is_package,
-                  :has_issues, :has_wiki, :maintainer_id, :publish_i686_into_x86_64,
-                  :url, :srpms_list, :mass_import, :add_to_repository_id, :architecture_dependent,
-                  :autostart_status
   attr_readonly :owner_id, :owner_type
 
   before_validation :truncate_name, on: :create

app/models/project_statistic.rb

@@ -5,6 +5,4 @@ class ProjectStatistic < ActiveRecord::Base
 
   validates :arch, :project, :average_build_time, :build_count, presence: true
   validates :project_id, uniqueness: { scope: :arch_id }
-
-  attr_accessible :average_build_time, :build_count
 end

app/models/project_tag.rb

@@ -11,8 +11,6 @@ class ProjectTag < ActiveRecord::Base
   validates :project, :commit_id, :sha1, :tag_name, :format_id, presence: true
   validates :project_id, uniqueness: { scope: [:tag_name, :format_id] }
 
-  attr_accessible :project_id, :commit_id, :sha1, :tag_name, :format_id
-
   def sha1_of_file_store_files
     [sha1]
   end

app/models/project_to_repository.rb

@@ -12,8 +12,6 @@ class ProjectToRepository < ActiveRecord::Base
 
   validate :one_project_in_platform_repositories, on: :create
 
-  attr_accessible :project, :project_id
-
   AUTOSTART_OPTIONS.each do |field|
     store_accessor :autostart_options, field
   end

app/models/pull_request.rb

@@ -49,7 +49,6 @@ class PullRequest < ActiveRecord::Base
   after_destroy :clean_dir
 
   accepts_nested_attributes_for :issue
-  attr_accessible :issue_attributes, :to_ref, :from_ref
 
   scope :needed_checking,       -> { includes(:issue).where(issues: { status: [STATUS_OPEN, STATUS_BLOCKED, STATUS_READY] }) }
   scope :not_closed_or_merged,  -> { needed_checking }

app/models/relation.rb

@@ -15,8 +15,6 @@ class Relation < ActiveRecord::Base
 #  validate { errors.add(:actor, :taken) if Relation.where(actor_type: self.actor_type, actor_id: self.actor_id).present? }
   before_validation :add_default_role
 
-  attr_accessible :actor_id, :actor_type, :target_id, :target_type, :actor, :target, :role
-
   scope :by_user_through_groups, ->(u) {
     where("actor_type = 'User' AND actor_id = ? OR actor_type = 'Group' AND actor_id IN (?)", u.id, u.group_ids)
   }

app/models/repository.rb

@@ -36,13 +36,6 @@ class Repository < ActiveRecord::Base
 
   before_destroy  :detele_directory
 
-  attr_accessible :name,
-                  :description,
-                  :publish_without_qa,
-                  :synchronizing_publications,
-                  :publish_builds_only_from_branch,
-                  :build_for_platform_id
-
   attr_readonly :name, :platform_id
   attr_accessor :projects_list, :build_for_platform_id
 

app/models/repository_status.rb

@@ -31,8 +31,6 @@ class RepositoryStatus < ActiveRecord::Base
   validates :repository, :platform, presence: true
   validates :repository_id, uniqueness: { scope: :platform_id }
 
-  attr_accessible :platform_id, :repository_id
-
   scope :platform_ready, -> { where(platforms: {status: READY}).joins(:platform) }
   scope :for_regeneration, -> { where(status: WAITING_FOR_REGENERATION) }
   scope :for_resign, -> { where(status: [WAITING_FOR_RESIGN, WAITING_FOR_RESIGN_AND_REGENERATION]) }

app/models/settings_notifier.rb

@@ -3,16 +3,4 @@ class SettingsNotifier < ActiveRecord::Base
 
   validates :user, presence: true
 
-  attr_accessible :can_notify,
-                  :update_code,
-                  :new_comment_commit_owner,
-                  :new_comment_commit_repo_owner,
-                  :new_comment_commit_commentor,
-                  :new_comment,
-                  :new_comment_reply,
-                  :new_issue,
-                  :issue_assign,
-                  :new_build,
-                  :new_associated_build
-
 end

app/models/ssh_key.rb

@@ -5,7 +5,6 @@ class SshKey < ActiveRecord::Base
   SHELL_KEY_COMMAND = "sudo -i -u #{APP_CONFIG['shell_user']} ~#{APP_CONFIG['shell_user']}/gitlab-shell/bin/gitlab-keys"
 
   belongs_to :user
-  attr_accessible :key, :name
 
   before_validation -> { self.key = key.strip if key.present? }
   before_validation :set_fingerprint

app/models/statistic.rb

@@ -41,14 +41,6 @@ class Statistic < ActiveRecord::Base
   validates :activity_at,
     presence: true
 
-  attr_accessible :user_id,
-                  :email,
-                  :project_id,
-                  :project_name_with_owner,
-                  :key,
-                  :counter,
-                  :activity_at
-
   scope :for_period,            -> (start_date, end_date) {
     where(activity_at: (start_date..end_date))
   }

app/models/subscribe.rb

@@ -3,7 +3,6 @@ class Subscribe < ActiveRecord::Base
   belongs_to :user
   belongs_to :project
 
-  attr_accessible :status, :user_id
   validates :user, presence: true
 
   def commit_subscribe?
@@ -38,7 +37,7 @@ class Subscribe < ActiveRecord::Base
     if subscribe = Subscribe.where(options).first
       subscribe.update_attributes(status: status)
     else
-      Subscribe.create(options.merge(status: status), without_protection: true)
+      Subscribe.create options.merge(status: status)
     end
   end
 

app/models/token.rb

@@ -12,8 +12,6 @@ class Token < ActiveRecord::Base
 
   before_validation :generate_token, on: :create
 
-  attr_accessible :description
-
   state_machine :status, initial: :active do
     event :block do
       transition [:active, :blocked] => :blocked

app/models/user.rb

@@ -56,8 +56,6 @@ class User < Avatar
   validates :role, inclusion: { in: EXTENDED_ROLES }, allow_blank: true
   validates :language, inclusion: { in: LANGUAGES }, allow_blank: true
 
-  attr_accessible :email, :password, :password_confirmation, :current_password, :remember_me, :login, :name, :uname, :language,
-                  :site, :company, :professional_experience, :location, :sound_notifications, :hide_email, :delete_avatar
   attr_readonly :uname
   attr_accessor :login, :delete_avatar
 

app/models/user_builds_setting.rb

@@ -5,6 +5,4 @@ class UserBuildsSetting < ActiveRecord::Base
 
   validates :user, presence: true
 
-  attr_accessible :platforms
-
 end

app/policies/advisory_policy.rb

@@ -11,4 +11,14 @@ class AdvisoryPolicy < ApplicationPolicy
   end
   alias_method :update?, :create?
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(
+      description
+      references
+    )
+  end
+
 end

app/policies/build_list_policy.rb

@@ -57,6 +57,37 @@ class BuildListPolicy < ApplicationPolicy
     ProjectPolicy.new(user, record.project).write?
   end
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    pa = %i(
+      arch_id
+      auto_create_container
+      auto_publish
+      auto_publish_status
+      build_for_platform_id
+      commit_hash
+      external_nodes
+      include_testing_subrepository
+      project_id
+      project_version
+      save_buildroot
+      save_to_platform_id
+      save_to_repository_id
+      update_type
+      use_cached_chroot
+      use_extra_tests
+    )
+    pa << {
+      include_repos:      [],
+      extra_build_lists:  [],
+      extra_repositories: [],
+      extra_params:       BuildList::EXTRA_PARAMS,
+    }
+    pa
+  end
+
   class Scope < Scope
 
     def read

app/policies/collaborator_policy.rb

@@ -0,0 +1,10 @@
+class CollaboratorPolicy < ApplicationPolicy
+
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(role actor_id actor_type)
+  end
+
+end

app/policies/comment_policy.rb

@@ -11,4 +11,11 @@ class CommentPolicy < ApplicationPolicy
   end
   alias_method :destroy?, :update?
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(body data)
+  end
+
 end

app/policies/group_policy.rb

@@ -32,6 +32,15 @@ class GroupPolicy < ApplicationPolicy
     !user.guest? && ( is_admin? || owner? )
   end
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    pa = %i(avatar description delete_avatar default_branch)
+    pa << :uname if record.new_record?
+    pa
+  end
+
   class Scope < Scope
     def show
       scope

app/policies/hook_policy.rb

@@ -8,4 +8,11 @@ class HookPolicy < ApplicationPolicy
   alias_method :destroy?, :show?
   alias_method :update?,  :show?
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(data name)
+  end
+
 end

app/policies/issue_policy.rb

@@ -18,4 +18,17 @@ class IssuePolicy < ApplicationPolicy
     is_admin? || record.user_id == user.id || local_admin?(record.project)
   end
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    pa = %i(title body)
+    if ProjectPolicy.new(user, record.project).write?
+      pa << :assignee_id
+      pa << { labelings_attributes: %i(id name color label_id _destroy) }
+      pa << { labelings: [] }
+    end
+    pa
+  end
+
 end

app/policies/key_pair_policy.rb

@@ -6,4 +6,11 @@ class KeyPairPolicy < ApplicationPolicy
   end
   alias_method :destroy?, :create?
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(public secret repository_id)
+  end
+
 end

app/policies/mass_build_policy.rb

@@ -15,4 +15,27 @@ class MassBuildPolicy < ApplicationPolicy
     !record.stop_build && create?
   end
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(
+      arches
+      auto_create_container
+      auto_publish_status
+      build_for_platform_id
+      description
+      external_nodes
+      extra_build_lists
+      extra_mass_builds
+      extra_repositories
+      include_testing_subrepository
+      increase_release_tag
+      projects_list
+      repositories
+      use_cached_chroot
+      use_extra_tests
+    )
+  end
+
 end

app/policies/platform_policy.rb

@@ -62,6 +62,28 @@ class PlatformPolicy < ApplicationPolicy
     record.personal? && ( is_admin? || owner? )
   end
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(
+      admin_id
+      automatic_metadata_regeneration
+      default_branch
+      description
+      distrib_type
+      name
+      owner
+      parent_platform_id
+      platform_type
+      released
+      term
+      visibility
+    ) + [
+      platform_arch_settings_attributes: %i(id arch_id platform_id default time_living)
+    ]
+  end
+
   class Scope < Scope
 
     def related

app/policies/product_build_list_policy.rb

@@ -24,4 +24,24 @@ class ProductBuildListPolicy < ApplicationPolicy
     is_admin? || ProductPolicy.new(user, record.product).destroy?
   end
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(
+      base_url
+      branch
+      commit_hash
+      main_script
+      not_delete
+      params
+      product_id
+      product_name
+      project_id
+      project_version
+      status
+      time_living
+    )
+  end
+
 end

app/policies/product_policy.rb

@@ -17,4 +17,21 @@ class ProductPolicy < ApplicationPolicy
   alias_method :destroy?, :create?
   alias_method :update?,  :create?
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(
+      autostart_status
+      description
+      main_script
+      name
+      params
+      platform_id
+      project_id
+      project_version
+      time_living
+    )
+  end
+
 end

app/policies/project_policy.rb

@@ -71,6 +71,30 @@ class ProjectPolicy < ApplicationPolicy
     true
   end
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(
+      add_to_repository_id
+      architecture_dependent
+      autostart_status
+      default_branch
+      description
+      has_issues
+      has_wiki
+      is_package
+      maintainer_id
+      mass_import
+      name
+      publish_i686_into_x86_64
+      srpm
+      srpms_list
+      url
+      visibility
+    )
+  end
+
   class Scope < Scope
 
     def membered

app/policies/pull_request_policy.rb

@@ -22,4 +22,16 @@ class PullRequestPolicy < ApplicationPolicy
     is_admin? || local_writer?(record.to_project)
   end
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(
+      body
+      from_ref
+      title
+      to_ref
+    ) + [ issue_attributes: %i(title body) ]
+  end
+
 end

app/policies/repository_policy.rb

@@ -54,6 +54,20 @@ class RepositoryPolicy < ApplicationPolicy
   end
   alias_method :remove_repo_lock_file?, :add_repo_lock_file?
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(
+      name
+      description
+      publish_without_qa
+      synchronizing_publications
+      publish_builds_only_from_branch
+      build_for_platform_id
+    )
+  end
+
 private
 
   # Public: Get user ids of repository.

app/policies/settings_notifier_policy.rb

@@ -0,0 +1,22 @@
+class SettingsNotifierPolicy < ApplicationPolicy
+
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(
+      can_notify
+      update_code
+      new_comment_commit_owner
+      new_comment_commit_repo_owner
+      new_comment_commit_commentor
+      new_comment
+      new_comment_reply
+      new_issue
+      issue_assign
+      new_build
+      new_associated_build
+    )
+  end
+
+end