From 523137253ce63001f4ecf03f4805eabe4296b806 Mon Sep 17 00:00:00 2001
From: Matchu <matchu1993@@gmail.com>
Date: Sat, 29 Jul 2023 10:52:23 -0700
Subject: [PATCH] Use strong parameters for Outfit

---
 app/controllers/outfits_controller.rb | 9 +++++++--
 app/models/outfit.rb                  | 2 --
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/app/controllers/outfits_controller.rb b/app/controllers/outfits_controller.rb
index 220eb346..d0a836dc 100644
--- a/app/controllers/outfits_controller.rb
+++ b/app/controllers/outfits_controller.rb
@@ -2,7 +2,7 @@ class OutfitsController < ApplicationController
   before_filter :find_authorized_outfit, :only => [:update, :destroy]
 
   def create
-    @outfit = Outfit.build_for_user(current_user, params[:outfit])
+    @outfit = Outfit.build_for_user(current_user, outfit_params)
     if @outfit.save
       render :json => @outfit
     else
@@ -108,7 +108,7 @@ class OutfitsController < ApplicationController
   end
 
   def update
-    if @outfit.update_attributes(params[:outfit])
+    if @outfit.update_attributes(outfit_params)
       render :json => @outfit
     else
       render_outfit_errors
@@ -117,6 +117,11 @@ class OutfitsController < ApplicationController
 
   private
 
+  def outfit_params
+    params.require(:outfit).permit(
+      :name, :pet_state_id, :starred, :worn_and_unworn_item_ids)
+  end
+
   def find_authorized_outfit
     raise ActiveRecord::RecordNotFound unless user_signed_in?
     @outfit = current_user.outfits.find(params[:id])
diff --git a/app/models/outfit.rb b/app/models/outfit.rb
index 4d52e65f..969f8b78 100644
--- a/app/models/outfit.rb
+++ b/app/models/outfit.rb
@@ -11,8 +11,6 @@ class Outfit < ActiveRecord::Base
 
   delegate :color, to: :pet_state
 
-  attr_accessible :name, :pet_state_id, :starred, :worn_and_unworn_item_ids
-
   scope :wardrobe_order, -> { order('starred DESC', :name) }
   
   # NOTE: We no longer save images, but we've left the code here for now.