Merge branch 'integration' into higly-experimental/enforce-robots-txt

Gemfile

@@ -3,7 +3,6 @@ source 'https://rubygems.org'
 gem 'rails', '4.0.2'
 
 #gem 'turbolinks'
-gem 'protected_attributes' # support legacy 'attr_accessible'
 
 gem 'rails-i18n'
 gem 'pg'

Gemfile.lock

@@ -282,8 +282,6 @@ GEM
     polyglot (0.3.3)
     private_pub (1.0.3)
       faye
-    protected_attributes (1.0.5)
-      activemodel (>= 4.0.1, < 5.0)
     pry (0.9.12.4)
       coderay (~> 1.0)
       method_source (~> 0.8)
@@ -470,7 +468,6 @@ DEPENDENCIES
   pg_search!
   poltergeist
   private_pub
-  protected_attributes
   pry-rails
   rack-cache
   rails (= 4.0.2)

app/controllers/api/messages_controller.rb

@@ -13,7 +13,7 @@ def create
     good = good || @talk.venue.users.include?(user)
     return render text: 'Computer says no', status: 740 unless good
 
-    message = @talk.messages.build(params[:message])
+    message = @talk.messages.build(message_params)
     message.user = user
     message.save!
 
@@ -43,4 +43,8 @@ def verified_request?
     super || form_authenticity_token == request.headers['X-XSRF-TOKEN']
   end
 
+  def message_params
+    params.require(:message).permit(:content)
+  end
+
 end

app/controllers/api/social_shares_controller.rb

@@ -3,7 +3,7 @@ class Api::SocialSharesController < ApplicationController
   before_filter :authenticate_user!
 
   def create
-    @social_share            = SocialShare.new(params[:social_share])
+    @social_share            = SocialShare.new(social_share_params)
     @social_share.request_ip = request.remote_addr
     @social_share.user_agent = request.user_agent
     @social_share.user_id    = current_user.id
@@ -18,9 +18,11 @@ def create
   end
 
   private
+
   def social_share_params
-    params.require(:social_share).permit(:request_ip, :user_agent,
-                                         :shareable_id, :shareable_type,
-                                         :social_network)
+    params.require(:social_share).permit( :shareable_id,
+                                          :shareable_type,
+                                          :social_network )
   end
+
 end

app/controllers/application_controller.rb

@@ -76,10 +76,10 @@ def store_location
 
   before_filter :update_sanitized_params, if: :devise_controller?
 
+  # strong parameters for devise
   def update_sanitized_params
     devise_parameter_sanitizer.for(:sign_up) do |u|
-      u.permit(:firstname, :lastname, :accept_terms_of_use,
-               :email, :password, :password_confirmation)
+      u.permit(UsersController::PERMITTED_ATTRS)
     end
   end
 

app/controllers/comments_controller.rb

@@ -7,7 +7,7 @@ def create
     authorize! :create, Comment
 
     venue = Venue.find(params[:venue_id])
-    comment = venue.comments.build(params[:comment])
+    comment = venue.comments.build(comment_params)
     comment.user = current_user
 
     if comment.save
@@ -29,4 +29,8 @@ def send_email(comment, users)
     end
   end
 
+  def comment_params
+    params.require(:comment).permit(:content)
+  end
+
 end

app/controllers/embed_talks_controller.rb

@@ -1,4 +1,5 @@
 class EmbedTalksController < ApplicationController
+
   after_action :allow_iframe, only: :show
 
   def show
@@ -14,4 +15,5 @@ def show
   def allow_iframe
     response.headers.except! 'X-Frame-Options'
   end
+
 end

app/controllers/errors_controller.rb

@@ -1,4 +1,5 @@
 class ErrorsController < ApplicationController
+
   skip_before_filter :check_browser
 
   # Handling exceptions dynamically using middleware.
@@ -16,4 +17,5 @@ def show
   # Dedicated landing page for outdated browsers
   def upgrade_browser
   end
+
 end

app/controllers/reminders_controller.rb

@@ -0,0 +1,36 @@
+# TODO use cancan for authorization
+class RemindersController < ApplicationController
+
+  before_action :authenticate_user!
+
+  # GET /reminders
+  def index
+    @reminders = current_user.reminders
+  end
+
+  # POST /reminders
+  def create
+    @reminder = Reminder.new
+    @reminder.user = current_user
+
+    rememberable ||= Talk.find(params[:talk_id])
+    rememberable ||= Venue.find(params[:venue_id])
+    raise "Cannot find Rememberable with #{params.inspect}" if rememberable.nil? 
+    @reminder.rememberable = rememberable
+
+    if @reminder.save
+      redirect_to rememberable, notice: I18n.t('reminders.create.success')
+    else
+      redirect_to rememberable, error: I18n.t('reminders.create.failure')
+    end
+  end
+
+  # DELETE /reminders/1
+  def destroy
+    @reminder = Reminder.find(params[:id])
+    @reminder.destroy
+    redirect_to current_user, anchor: 'reminders',
+                notice: I18n.t('reminders.destroy.success')
+  end
+
+end

app/controllers/search_controller.rb

@@ -2,15 +2,15 @@ class SearchController < ApplicationController
 
   PER_PAGE = 10
 
+  before_action :set_query
+
   # POST /search
   def create
-    redirect_to "/search/1/" + u(params[:query])
+    redirect_to "/search/1/" + u(@query)
   end
 
   # GET  /search/1/:query
   def show
-    @query = params[:query]
-
     @results = PgSearch.multisearch(@query).
       paginate(page: params[:page], per_page: PER_PAGE)
 
@@ -33,4 +33,9 @@ def u(str)
     ERB::Util.url_encode(str)
   end
 
+  def set_query
+    params.permit(:query)
+    @query = params[:query]
+  end
+
 end

app/controllers/talks_controller.rb

@@ -115,7 +115,8 @@ def talk_params
     params.require(:talk).permit(:title, :teaser, :starts_at_date,
                                  :starts_at_time, :duration,
                                  :description, :collect, :image,
-                                 :tag_list, :guest_list, :language)
+                                 :tag_list, :guest_list, :language,
+                                 :format)
   end
 
 end

app/controllers/users/omniauth_callbacks_controller.rb

@@ -1,18 +1,18 @@
-require 'pp'
-
 class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
+
   include Devise::Controllers::Rememberable
 
   def facebook
-    logger.debug("OmniauthCallbacks#facebook - omniauth.auth: \n #{request.env['omniauth.auth']}\n")
+    logger.debug("OmniauthCallbacks#facebook - omniauth.auth: \n" +
+                 " #{request.env['omniauth.auth']}\n")
     @user = User.find_for_facebook_oauth(request.env["omniauth.auth"], current_user)
 
     unless @user.valid?
       logger.warn("OmniAuthCallbacks#facebook - user invalid: @user.inspect")
       flash[:error] = @user.errors.full_message(:email, "is in use")
       redirect_to new_user_registration_url and return
     end
-
+    
     if @user.persisted?
       flash[:notice] = I18n.t "devise.omniauth_callbacks.success", :kind => "Facebook"
       remember_me(@user)

app/controllers/users/registrations_controller.rb

@@ -1,11 +1,20 @@
 class Users::RegistrationsController < Devise::RegistrationsController
+
   def new
-    resource = build_resource(params[:user])
+    resource = build_resource(user_params)
     respond_with resource
   end
 
   def create
     @guest_user = session[:guest_user_id] = nil
     super
   end
+
+  private
+
+  def user_params
+    return {} unless params[:user] # for redirect on subscribe
+    params.require(:user).permit(:firstname, :lastname, :email)
+  end
+
 end

app/controllers/users_controller.rb

@@ -1,5 +1,14 @@
 class UsersController < ApplicationController
 
+  PERMITTED_ATTRS = [ :firstname,
+                      :lastname,
+                      :accept_terms_of_use,
+                      :email,
+                      :avatar,
+                      :header,
+                      :password,
+                      :password_confirmation ]
+
   before_filter :authenticate_user!, :only => [:edit,:update,:destroy]
 
   # layout "application", :only => [:welcome]
@@ -47,7 +56,7 @@ def edit
   # POST /users
   # POST /users.json
   def create
-    @user = User.new(params[:user])
+    @user = User.new(user_params)
 
     respond_to do |format|
       if @user.save
@@ -69,7 +78,7 @@ def update
     authorize! :update, @user
 
     respond_to do |format|
-      if @user.update_attributes(params[:user])
+      if @user.update_attributes(user_params)
         format.html do
           redirect_to @user, flash: { notice: I18n.t("flash.actions.update.notice") }
         end
@@ -100,4 +109,10 @@ def destroy
     end
   end
 
+  private
+
+  def user_params
+    params.require(:user).permit(PERMITTED_ATTRS)
+  end
+
 end

app/controllers/venues_controller.rb

@@ -23,10 +23,10 @@ def show
       format.html do
         @upcoming_talks = @venue.talks.where(state: [:prelive, :live]).ordered
         @archived_talks = @venue.talks.archived.ordered
-        
+
         @participation =
           @venue.participations.find_by(user_id: current_user.id)
-        
+
         @show_join = @participation.nil? &&
                      current_user != @venue.user
       end
@@ -51,9 +51,6 @@ def new
 
   # GET /venues/1/edit
   def edit
-    if params[:renew]
-      @renew = true
-    end
     authorize! :edit, @venue
     respond_to do |format|
       format.html {}
@@ -64,7 +61,7 @@ def edit
   # POST /venues
   # POST /venues.json
   def create
-    @venue = Venue.new(params[:venue])
+    @venue = Venue.new(venue_params)
     @venue.user = current_user
 
     authorize! :create, @venue
@@ -90,7 +87,7 @@ def update
     authorize! :update, @venue
 
     respond_to do |format|
-      if @venue.update_attributes(params[:venue])
+      if @venue.update_attributes(venue_params)
         format.html { redirect_to @venue, notice: 'Venue was successfully updated.' }
         format.json { head :no_content }
       else
@@ -113,7 +110,7 @@ def destroy
     end
   end
 
-  def tags # TODO: check if needed
+  def tags
     scope = ActsAsTaggableOn::Tag.where(["name ILIKE ?", "%#{params[:q]}%"])
     tags = scope.paginate(:page => params[:page], :per_page => params[:limit] || 10)
     render json: { tags: tags, total: scope.count }
@@ -131,4 +128,10 @@ def set_venue
     @venue = Venue.find(params[:id])
   end
 
+  # Only allow a trusted parameter "white list" through.
+  def venue_params
+    params.require(:venue).permit(:title, :teaser, :description,
+                                  :image, :tag_list)
+  end
+
 end

app/models/appearance.rb

@@ -6,8 +6,6 @@
 # * user_id [integer] - belongs to :user
 class Appearance < ActiveRecord::Base
 
-  attr_accessible :user_id
-
   validates :user, :talk, presence: true
 
   belongs_to :user

app/models/comment.rb

@@ -8,8 +8,6 @@
 # * user_id [integer, not null] - belongs to :user
 class Comment < ActiveRecord::Base
 
-  attr_accessible :content
-
   belongs_to :commentable, polymorphic: true
   belongs_to :user
 

app/models/message.rb

@@ -7,8 +7,6 @@
 # * user_id [integer] - belongs to :user
 class Message < ActiveRecord::Base
 
-  attr_accessible :content
-
   belongs_to :user
   belongs_to :talk
 

app/models/reminder.rb

@@ -0,0 +1,6 @@
+class Reminder < ActiveRecord::Base
+  belongs_to :user
+  belongs_to :rememberable, polymorphic: true
+
+  validates :user, presence: true
+end

app/models/setting.rb

@@ -22,8 +22,6 @@ class Setting < ActiveRecord::Base
 
   validates :key, :value, presence: true
 
-  attr_accessible :key, :value
-
   class << self
     def get(key)
       # try to find an entry in the db