diff --git a/app/controllers/api/v1/products_controller.rb b/app/controllers/api/v1/products_controller.rb
index 4c3a5edd5..5dd9e598e 100644
--- a/app/controllers/api/v1/products_controller.rb
+++ b/app/controllers/api/v1/products_controller.rb
@@ -5,7 +5,7 @@ class Api::V1::ProductsController < Api::V1::BaseController
   before_action :load_product, except: :create
 
   def create
-    create_subject @product = Product.new(params[:product])
+    create_subject @product = Product.new(subject_params(Product))
   end
 
   def update
diff --git a/app/models/product.rb b/app/models/product.rb
index 7fa8d547e..9280213d3 100644
--- a/app/models/product.rb
+++ b/app/models/product.rb
@@ -16,13 +16,6 @@ class Product < ActiveRecord::Base
 
   scope :recent, -> { order(:name) }
 
-  # attr_accessible :name,
-  #                 :description,
-  #                 :project_id,
-  #                 :main_script,
-  #                 :params,
-  #                 :platform_id,
-  #                 :project_version
   attr_readonly :platform_id
 
   def full_clone(attrs = {})
diff --git a/app/policies/product_policy.rb b/app/policies/product_policy.rb
index 86120b9ee..ee62cf7e1 100644
--- a/app/policies/product_policy.rb
+++ b/app/policies/product_policy.rb
@@ -17,4 +17,21 @@ class ProductPolicy < ApplicationPolicy
   alias_method :destroy?, :create?
   alias_method :update?,  :create?
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(
+      autostart_status
+      description
+      main_script
+      name
+      params
+      platform_id
+      project_id
+      project_version
+      time_living
+    )
+  end
+
 end