diff --git a/app/controllers/api/v1/apps_controller.rb b/app/controllers/api/v1/apps_controller.rb
index ca9dd0b7eea90eb25285f1154332915f58558542..2ec7280af05d00c87fca8943ca62ab279f9931d0 100644
--- a/app/controllers/api/v1/apps_controller.rb
+++ b/app/controllers/api/v1/apps_controller.rb
@@ -4,6 +4,12 @@ class Api::V1::AppsController < ApiController
respond_to :json
def create
- @app = Doorkeeper::Application.create!(name: params[:client_name], redirect_uri: params[:redirect_uris], scopes: (params[:scopes] || Doorkeeper.configuration.default_scopes), website: params[:website])
+ @app = Doorkeeper::Application.create!(name: app_params[:client_name], redirect_uri: app_params[:redirect_uris], scopes: (app_params[:scopes] || Doorkeeper.configuration.default_scopes), website: app_params[:website])
+ end
+
+ private
+
+ def app_params
+ params.permit(:client_name, :redirect_uris, :scopes, :website)
end
end
diff --git a/app/controllers/api/v1/follows_controller.rb b/app/controllers/api/v1/follows_controller.rb
index c22dacbaab794ce78f32dc44488fa9d0e8415be0..7c0f44f038313ca07a807cb8caec2731aa5a4d2f 100644
--- a/app/controllers/api/v1/follows_controller.rb
+++ b/app/controllers/api/v1/follows_controller.rb
@@ -7,7 +7,7 @@ class Api::V1::FollowsController < ApiController
respond_to :json
def create
- raise ActiveRecord::RecordNotFound if params[:uri].blank?
+ raise ActiveRecord::RecordNotFound if follow_params[:uri].blank?
@account = FollowService.new.call(current_user.account, target_uri).try(:target_account)
render action: :show
@@ -16,6 +16,10 @@ class Api::V1::FollowsController < ApiController
private
def target_uri
- params[:uri].strip.gsub(/\A@/, '')
+ follow_params[:uri].strip.gsub(/\A@/, '')
+ end
+
+ def follow_params
+ params.permit(:uri)
end
end
diff --git a/app/controllers/api/v1/media_controller.rb b/app/controllers/api/v1/media_controller.rb
index f8139ade7719a9d9d927aa23b93c130e58d99569..aed3578d7e827d7f327ed2598c7e5d13fecd6346 100644
--- a/app/controllers/api/v1/media_controller.rb
+++ b/app/controllers/api/v1/media_controller.rb
@@ -10,10 +10,16 @@ class Api::V1::MediaController < ApiController
respond_to :json
def create
- @media = MediaAttachment.create!(account: current_user.account, file: params[:file])
+ @media = MediaAttachment.create!(account: current_user.account, file: media_params[:file])
rescue Paperclip::Errors::NotIdentifiedByImageMagickError
render json: { error: 'File type of uploaded media could not be verified' }, status: 422
rescue Paperclip::Error
render json: { error: 'Error processing thumbnail for uploaded media' }, status: 500
end
+
+ private
+
+ def media_params
+ params.permit(:file)
+ end
end
diff --git a/app/controllers/api/v1/reports_controller.rb b/app/controllers/api/v1/reports_controller.rb
index 46bdddbc1487a5104b852446d61627c2c74794c3..f83c573cb5fbaeaa798c02581cbe48b338125f1a 100644
--- a/app/controllers/api/v1/reports_controller.rb
+++ b/app/controllers/api/v1/reports_controller.rb
@@ -12,13 +12,19 @@ class Api::V1::ReportsController < ApiController
end
def create
- status_ids = params[:status_ids].is_a?(Enumerable) ? params[:status_ids] : [params[:status_ids]]
+ status_ids = report_params[:status_ids].is_a?(Enumerable) ? report_params[:status_ids] : [report_params[:status_ids]]
@report = Report.create!(account: current_account,
- target_account: Account.find(params[:account_id]),
+ target_account: Account.find(report_params[:account_id]),
status_ids: Status.find(status_ids).pluck(:id),
- comment: params[:comment])
+ comment: report_params[:comment])
render :show
end
+
+ private
+
+ def report_params
+ params.permit(:account_id, :comment, status_ids: [])
+ end
end
diff --git a/app/controllers/api/v1/statuses_controller.rb b/app/controllers/api/v1/statuses_controller.rb
index 024258c0e1551c62094fe1459ae8f8b1ad11dccc..4ece7e702819f403d0fa3de8ebc142e03f299204 100644
--- a/app/controllers/api/v1/statuses_controller.rb
+++ b/app/controllers/api/v1/statuses_controller.rb
@@ -62,11 +62,11 @@ class Api::V1::StatusesController < ApiController
end
def create
- @status = PostStatusService.new.call(current_user.account, params[:status], params[:in_reply_to_id].blank? ? nil : Status.find(params[:in_reply_to_id]), media_ids: params[:media_ids],
- sensitive: params[:sensitive],
- spoiler_text: params[:spoiler_text],
- visibility: params[:visibility],
- application: doorkeeper_token.application)
+ @status = PostStatusService.new.call(current_user.account, status_params[:status], status_params[:in_reply_to_id].blank? ? nil : Status.find(status_params[:in_reply_to_id]), media_ids: status_params[:media_ids],
+ sensitive: status_params[:sensitive],
+ spoiler_text: status_params[:spoiler_text],
+ visibility: status_params[:visibility],
+ application: doorkeeper_token.application)
render action: :show
end
@@ -111,4 +111,8 @@ class Api::V1::StatusesController < ApiController
@status = Status.find(params[:id])
raise ActiveRecord::RecordNotFound unless @status.permitted?(current_account)
end
+
+ def status_params
+ params.permit(:status, :in_reply_to_id, :sensitive, :spoiler_text, :visibility, media_ids: [])
+ end
end
diff --git a/app/models/status.rb b/app/models/status.rb
index 81b26fd1459ee7464fec62155960956eb286b4a2..daf1285720fd17bc0ef52d73630506b25337d453 100644
--- a/app/models/status.rb
+++ b/app/models/status.rb
@@ -188,7 +188,7 @@ class Status < ApplicationRecord
end
before_validation do
- text.strip!
+ text&.strip!
spoiler_text&.strip!
self.reply = !(in_reply_to_id.nil? && thread.nil?) unless reply