#472: Update Projects::CollaboratorsController

app/controllers/projects/collaborators_controller.rb

@@ -24,7 +24,7 @@ class Projects::CollaboratorsController < Projects::BaseController
   end
 
   def create
-    @collaborator = Collaborator.new(params[:collaborator])
+    @collaborator = Collaborator.new(collaborator_params)
     @collaborator.project = @project
     respond_to do |format|
       if @collaborator.save
@@ -62,6 +62,10 @@ class Projects::CollaboratorsController < Projects::BaseController
 
   protected
 
+  def collaborator_params
+    subject_params(Collaborator)
+  end
+
   def find_users
     @users = @project.collaborators.order('uname')#User.all
     @users = @users.without(@project.owner_id) if @project.owner_type == 'User'

app/models/collaborator.rb

@@ -2,14 +2,11 @@ class Collaborator
   include ActiveModel::Conversion
   include ActiveModel::Validations
   include ActiveModel::Serializers::JSON
-  # include ActiveModel::MassAssignmentSecurity
   extend  ActiveModel::Naming
 
   attr_accessor :role, :actor, :project, :relation
   attr_reader :id, :actor_id, :actor_type, :actor_name, :project_id
 
-  # attr_accessible :role
-
   delegate :new_record?, to: :relation
 
   class << self
@@ -56,7 +53,7 @@ class Collaborator
   end
 
   def update_attributes(attributes, options = {})
-    sanitize_for_mass_assignment(attributes, options[:as]).each_pair do |k, v|
+    attributes.each_pair do |k, v|
       send("#{k}=", v)
     end
     save

app/policies/collaborator_policy.rb

@@ -0,0 +1,10 @@
+class CollaboratorPolicy < ApplicationPolicy
+
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(role actor_id actor_type)
+  end
+
+end