Merge pull request #173 from finnlabs/sec-fixes

Prepare plugin for strong params

app/controllers/costlog_controller.rb

@@ -185,17 +185,17 @@ class CostlogController < ApplicationController
   end
 
   def find_associated_objects
-    user_id = params[:cost_entry].delete(:user_id)
+    user_id = cost_entry_params.delete(:user_id)
     @user = @cost_entry.present? && @cost_entry.user_id == user_id ?
               @cost_entry.user :
               User.find_by_id(user_id)
 
-    work_package_id = params[:cost_entry].delete(:work_package_id)
+    work_package_id = cost_entry_params.delete(:work_package_id)
     @work_package = @cost_entry.present? && @cost_entry.work_package_id == work_package_id ?
                @cost_entry.work_package :
                WorkPackage.find_by_id(work_package_id)
 
-    cost_type_id = params[:cost_entry].delete(:cost_type_id)
+    cost_type_id = cost_entry_params.delete(:cost_type_id)
     @cost_type = @cost_entry.present? && @cost_entry.cost_type_id == cost_type_id ?
                    @cost_entry.cost_type :
                    CostType.find_by_id(cost_type_id)
@@ -268,4 +268,10 @@ class CostlogController < ApplicationController
 
     @cost_entry.attributes = permitted_params.cost_entry
   end
+
+private
+  def cost_entry_params
+    params.require(:cost_entry).permit(:work_package_id, :spent_on, :user_id,
+                                       :cost_type_id, :units, :comments)
+  end
 end

lib/open_project/costs/patches/time_entry_patch.rb

@@ -27,7 +27,6 @@ module OpenProject::Costs::Patches::TimeEntryPatch
     # Same as typing in the class t.update_costs
     base.class_eval do
       belongs_to :rate, -> { where(type: ['HourlyRate', 'DefaultHourlyRate']) }, class_name: 'Rate'
-      attr_protected :costs, :rate_id
 
       scope :visible, lambda { |*args|
         where(TimeEntry.visible_condition(args[0] || User.current, args[1]))