From 4538ed7a2e5c111a3b16b8fd3c1822ebb3e4a031 Mon Sep 17 00:00:00 2001
From: Martin Edenhofer <me@edenhofer.de>
Date: Wed, 19 Jun 2013 22:44:18 +0200
Subject: [PATCH] Added param_validation for ticket and articles.

---
 app/controllers/ticket_articles_controller.rb | 4 ++--
 app/controllers/tickets_controller.rb         | 4 ++--
 app/models/application_model.rb               | 8 ++++++++
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/app/controllers/ticket_articles_controller.rb b/app/controllers/ticket_articles_controller.rb
index 14b1938eb..6ba81dcd0 100644
--- a/app/controllers/ticket_articles_controller.rb
+++ b/app/controllers/ticket_articles_controller.rb
@@ -21,7 +21,7 @@ class TicketArticlesController < ApplicationController
   def create
     form_id  = params[:ticket_article][:form_id]
     params[:ticket_article].delete(:form_id)
-    @article = Ticket::Article.new( params[:ticket_article] )
+    @article = Ticket::Article.new( Ticket::Article.param_validation( params[:ticket_article] ) )
 
     # find attachments in upload cache
     if form_id
@@ -49,7 +49,7 @@ class TicketArticlesController < ApplicationController
   def update
     @article = Ticket::Article.find( params[:id] )
 
-    if @article.update_attributes(params[:ticket_article])
+    if @article.update_attributes( Ticket::Article.param_validation( params[:ticket_article] ) )
       render :json => @article, :status => :ok
     else
       render :json => @article.errors, :status => :unprocessable_entity
diff --git a/app/controllers/tickets_controller.rb b/app/controllers/tickets_controller.rb
index a125d32b7..7bef119a1 100644
--- a/app/controllers/tickets_controller.rb
+++ b/app/controllers/tickets_controller.rb
@@ -22,7 +22,7 @@ class TicketsController < ApplicationController
 
   # POST /api/tickets
   def create
-    @ticket = Ticket.new( params[:ticket] )
+    @ticket = Ticket.new( Ticket.param_validation( params[:ticket] ) )
 
     # check if article is given
     if !params[:article]
@@ -87,7 +87,7 @@ class TicketsController < ApplicationController
     # permissin check
     return if !ticket_permission(@ticket)
 
-    if @ticket.update_attributes( params[:ticket] )
+    if @ticket.update_attributes( Ticket.param_validation( params[:ticket] ) )
       render :json => @ticket, :status => :ok
     else
       render :json => @ticket.errors, :status => :unprocessable_entity
diff --git a/app/models/application_model.rb b/app/models/application_model.rb
index 3308219f3..1d50af24d 100644
--- a/app/models/application_model.rb
+++ b/app/models/application_model.rb
@@ -25,6 +25,8 @@ class ApplicationModel < ActiveRecord::Base
   end
 
   def self.param_cleanup(params)
+
+    # only use object attributes
     data = {}
     self.new.attributes.each {|item|
       if params.has_key?(item[0])
@@ -33,6 +35,12 @@ class ApplicationModel < ActiveRecord::Base
       end
     }
 
+    # we do want to set this via database
+    self.param_validation(data)
+  end
+
+  def self.param_validation(data)
+
     # we do want to set this via database
     data.delete( :updated_at )
     data.delete( :created_at )