From d38bede620818e7a900bfb9a7c5877268747ad14 Mon Sep 17 00:00:00 2001
From: Vokhmin Alexey V <avokhmin@gmail.com>
Date: Thu, 21 May 2015 00:03:08 +0300
Subject: [PATCH] #472: Update Api::V1::UsersController

---
 app/controllers/api/v1/users_controller.rb |  8 ++++++--
 app/models/settings_notifier.rb            | 12 -----------
 app/models/user.rb                         |  2 --
 app/policies/settings_notifier_policy.rb   | 22 ++++++++++++++++++++
 app/policies/user_policy.rb                | 24 ++++++++++++++++++++++
 5 files changed, 52 insertions(+), 16 deletions(-)
 create mode 100644 app/policies/settings_notifier_policy.rb

diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb
index 33060f508..ba912ccbe 100644
--- a/app/controllers/api/v1/users_controller.rb
+++ b/app/controllers/api/v1/users_controller.rb
@@ -16,7 +16,7 @@ class Api::V1::UsersController < Api::V1::BaseController
   def update
     user_params = params[:user] || {}
     send_confirmation = user_params[:email] != @user.email
-    if @user.update_without_password(user_params)
+    if @user.update_without_password(subject_params(User))
       if send_confirmation
         @user.confirmed_at, @user.confirmation_sent_at = nil
         @user.send_confirmation_instructions
@@ -29,7 +29,7 @@ class Api::V1::UsersController < Api::V1::BaseController
 
   def notifiers
     if request.put?
-      if @user.notifier.update_attributes(params[:notifiers])
+      if @user.notifier.update_attributes(notifier_params)
         render_json_response @user, 'User notification settings have been updated successfully'
       else
         render_json_response @user, error_message(@user.notifier, 'User notification settings have not been updated'), 422
@@ -39,6 +39,10 @@ class Api::V1::UsersController < Api::V1::BaseController
 
   protected
 
+  def notifier_params
+    permit_params(:notifiers, *policy(SettingsNotifier).permitted_attributes)
+  end
+
   def set_current_user
     authorize @user = current_user
   end
diff --git a/app/models/settings_notifier.rb b/app/models/settings_notifier.rb
index 8be1ce702..559935bb6 100644
--- a/app/models/settings_notifier.rb
+++ b/app/models/settings_notifier.rb
@@ -3,16 +3,4 @@ class SettingsNotifier < ActiveRecord::Base
 
   validates :user, presence: true
 
-  # attr_accessible :can_notify,
-  #                 :update_code,
-  #                 :new_comment_commit_owner,
-  #                 :new_comment_commit_repo_owner,
-  #                 :new_comment_commit_commentor,
-  #                 :new_comment,
-  #                 :new_comment_reply,
-  #                 :new_issue,
-  #                 :issue_assign,
-  #                 :new_build,
-  #                 :new_associated_build
-
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index b17711138..7166ac551 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -56,8 +56,6 @@ class User < Avatar
   validates :role, inclusion: { in: EXTENDED_ROLES }, allow_blank: true
   validates :language, inclusion: { in: LANGUAGES }, allow_blank: true
 
-  # attr_accessible :email, :password, :password_confirmation, :current_password, :remember_me, :login, :name, :uname, :language,
-  #                 :site, :company, :professional_experience, :location, :sound_notifications, :hide_email, :delete_avatar
   attr_readonly :uname
   attr_accessor :login, :delete_avatar
 
diff --git a/app/policies/settings_notifier_policy.rb b/app/policies/settings_notifier_policy.rb
new file mode 100644
index 000000000..665a567ab
--- /dev/null
+++ b/app/policies/settings_notifier_policy.rb
@@ -0,0 +1,22 @@
+class SettingsNotifierPolicy < ApplicationPolicy
+
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(
+      can_notify
+      update_code
+      new_comment_commit_owner
+      new_comment_commit_repo_owner
+      new_comment_commit_commentor
+      new_comment
+      new_comment_reply
+      new_issue
+      issue_assign
+      new_build
+      new_associated_build
+    )
+  end
+
+end
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index 2b4a9467a..71a1cbd2a 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -11,6 +11,30 @@ class UserPolicy < ApplicationPolicy
   alias_method :show_current_user?, :update?
   alias_method :write?,             :update?
 
+  # Public: Get list of parameters that the user is allowed to alter.
+  #
+  # Returns Array
+  def permitted_attributes
+    %i(
+      company
+      current_password
+      delete_avatar
+      email
+      hide_email
+      language
+      location
+      login
+      name
+      password
+      password_confirmation
+      professional_experience
+      remember_me
+      site
+      sound_notifications
+      uname
+    )
+  end
+
   class Scope < Scope
     def show
       scope