From 248e710fcb7b6cab0490b6473de727f236b5e810 Mon Sep 17 00:00:00 2001
From: Matchu <matchu1993@@gmail.com>
Date: Sat, 29 Jul 2023 11:07:14 -0700
Subject: [PATCH] Use strong parameters for User

---
 app/controllers/users_controller.rb | 7 ++++++-
 app/models/user.rb                  | 3 ---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index b542d502..fd35f261 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -17,7 +17,7 @@ class UsersController < ApplicationController
   end
 
   def update
-    success = @user.update_attributes params[:user]
+    success = @user.update_attributes user_params
     respond_to do |format|
       format.html {
         if success
@@ -41,6 +41,11 @@ class UsersController < ApplicationController
 
   protected
 
+  def user_params
+    params.require(:user).permit(:owned_closet_hangers_visibility,
+      :wanted_closet_hangers_visibility, :contact_neopets_connection_id)
+  end
+
   def find_and_authorize_user!
     if current_user.id == params[:id].to_i
       @user = current_user
diff --git a/app/models/user.rb b/app/models/user.rb
index 4abdd054..5d3df686 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -21,9 +21,6 @@ class User < ActiveRecord::Base
 
   devise :rememberable
 
-  attr_accessible :owned_closet_hangers_visibility,
-    :wanted_closet_hangers_visibility, :contact_neopets_connection_id
-
   def admin?
     name == 'matchu' # you know that's right.
   end