From 661ddbb15821a6cbb6b0fd30b31d76ed728b60c0 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Mon, 27 May 2013 11:02:58 +1000
Subject: [PATCH] introduce strong_parameters

---
 Gemfile                                          | 1 +
 Gemfile.lock                                     | 5 +++++
 app/controllers/user_actions_controller.rb       | 6 ++++--
 spec/controllers/user_actions_controller_spec.rb | 4 ++++
 4 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/Gemfile b/Gemfile
index 4fc40030f5c..3437f13280a 100644
--- a/Gemfile
+++ b/Gemfile
@@ -61,6 +61,7 @@ gem 'seed-fu'
 gem 'sidekiq'
 gem 'sinatra', require: nil
 gem 'slim'  # required for sidekiq-web
+gem 'strong_parameters' # remove when we upgrade to Rails 4
 gem 'therubyracer', require: 'v8'
 gem 'thin'
 gem 'diffy', require: false
diff --git a/Gemfile.lock b/Gemfile.lock
index 300d644bb9a..1208a4052a2 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -434,6 +434,10 @@ GEM
     slop (3.4.4)
     sorcerer (0.3.10)
     spork (0.9.2)
+    strong_parameters (0.2.1)
+      actionpack (~> 3.0)
+      activemodel (~> 3.0)
+      railties (~> 3.0)
     temple (0.6.4)
     terminal-notifier-guard (1.5.3)
     therubyracer (0.11.4)
@@ -542,6 +546,7 @@ DEPENDENCIES
   sinatra
   slim
   sprockets!
+  strong_parameters
   terminal-notifier-guard
   therubyracer
   thin
diff --git a/app/controllers/user_actions_controller.rb b/app/controllers/user_actions_controller.rb
index 92a7ec3985d..d7efb826e5e 100644
--- a/app/controllers/user_actions_controller.rb
+++ b/app/controllers/user_actions_controller.rb
@@ -1,6 +1,8 @@
 class UserActionsController < ApplicationController
   def index
-    requires_parameters(:username)
+    params.require(:username)
+    params.permit(:filter, :offset)
+
     per_chunk = 60
 
     user = fetch_user_from_params
@@ -26,7 +28,7 @@ class UserActionsController < ApplicationController
   end
 
   def show
-    requires_parameters(:id)
+    params.require(:id)
     render json: UserAction.stream_item(params[:id], guardian)
   end
 
diff --git a/spec/controllers/user_actions_controller_spec.rb b/spec/controllers/user_actions_controller_spec.rb
index 763cdbf3ed4..25d4a1b9b46 100644
--- a/spec/controllers/user_actions_controller_spec.rb
+++ b/spec/controllers/user_actions_controller_spec.rb
@@ -3,6 +3,10 @@ require 'spec_helper'
 describe UserActionsController do
   context 'index' do
 
+    it 'fails if username is not specified' do
+      expect { xhr :get, :index }.to raise_error
+    end
+
     it 'renders list correctly' do
       ActiveRecord::Base.observers.enable :all
       post = Fabricate(:post)