#472: Update Api::V1::UsersController

app/controllers/api/v1/users_controller.rb

@@ -16,7 +16,7 @@ class Api::V1::UsersController < Api::V1::BaseController
   def update
     user_params = params[:user] || {}
     send_confirmation = user_params[:email] != @user.email
-    if @user.update_without_password(user_params)
+    if @user.update_without_password(subject_params(User))
       if send_confirmation
         @user.confirmed_at, @user.confirmation_sent_at = nil
         @user.send_confirmation_instructions
@@ -29,7 +29,7 @@ class Api::V1::UsersController < Api::V1::BaseController
 
   def notifiers
     if request.put?
-      if @user.notifier.update_attributes(params[:notifiers])
+      if @user.notifier.update_attributes(notifier_params)
         render_json_response @user, 'User notification settings have been updated successfully'
       else
         render_json_response @user, error_message(@user.notifier, 'User notification settings have not been updated'), 422
@@ -39,6 +39,10 @@ class Api::V1::UsersController < Api::V1::BaseController
 
   protected
 
+  def notifier_params
+    permit_params(:notifiers, *policy(SettingsNotifier).permitted_attributes)
+  end
+
   def set_current_user
     authorize @user = current_user
   end

app/models/settings_notifier.rb

@@ -3,16 +3,4 @@ class SettingsNotifier < ActiveRecord::Base
 
   validates :user, presence: true
 
-  # attr_accessible :can_notify,
-  #                 :update_code,
-  #                 :new_comment_commit_owner,
-  #                 :new_comment_commit_repo_owner,
-  #                 :new_comment_commit_commentor,
-  #                 :new_comment,
-  #                 :new_comment_reply,
-  #                 :new_issue,
-  #                 :issue_assign,
-  #                 :new_build,
-  #                 :new_associated_build
-
 end

app/models/user.rb

@@ -56,8 +56,6 @@ class User < Avatar
   validates :role, inclusion: { in: EXTENDED_ROLES }, allow_blank: true
   validates :language, inclusion: { in: LANGUAGES }, allow_blank: true
 
-  # attr_accessible :email, :password, :password_confirmation, :current_password, :remember_me, :login, :name, :uname, :language,
-  #                 :site, :company, :professional_experience, :location, :sound_notifications, :hide_email, :delete_avatar
   attr_readonly :uname
   attr_accessor :login, :delete_avatar
 

app/policies/settings_notifier_policy.rb

@@ -0,0 +1,22 @@
+class SettingsNotifierPolicy < ApplicationPolicy
+
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(
+      can_notify
+      update_code
+      new_comment_commit_owner
+      new_comment_commit_repo_owner
+      new_comment_commit_commentor
+      new_comment
+      new_comment_reply
+      new_issue
+      issue_assign
+      new_build
+      new_associated_build
+    )
+  end
+
+end

app/policies/user_policy.rb

@@ -11,6 +11,30 @@ class UserPolicy < ApplicationPolicy
   alias_method :show_current_user?, :update?
   alias_method :write?,             :update?
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(
+      company
+      current_password
+      delete_avatar
+      email
+      hide_email
+      language
+      location
+      login
+      name
+      password
+      password_confirmation
+      professional_experience
+      remember_me
+      site
+      sound_notifications
+      uname
+    )
+  end
+
   class Scope < Scope
     def show
       scope