# HG changeset patch
# User Nattee Niparnan <nattee@gmail.com>
# Date 2017-01-25 10:06:16
# Node ID d56b2e7de528cbbc2eb7c5e48ff5f03b8d9769b8
# Parent  3b82292cbec2f5257e8de538b7d954aec33758ee

NEED TESTING
move to stronger parameter for xxx.new(params[

diff --git a/app/controllers/announcements_controller.rb b/app/controllers/announcements_controller.rb
--- a/app/controllers/announcements_controller.rb
+++ b/app/controllers/announcements_controller.rb
@@ -45,7 +45,7 @@
   # POST /announcements
   # POST /announcements.xml
   def create
-    @announcement = Announcement.new(params[:announcement])
+    @announcement = Announcement.new(announcement_params)
 
     respond_to do |format|
       if @announcement.save
diff --git a/app/controllers/problems_controller.rb b/app/controllers/problems_controller.rb
--- a/app/controllers/problems_controller.rb
+++ b/app/controllers/problems_controller.rb
@@ -28,7 +28,7 @@
   end
 
   def create
-    @problem = Problem.new(params[:problem])
+    @problem = Problem.new(problem_params)
     @description = Description.new(params[:description])
     if @description.body!=''
       if !@description.save
@@ -47,7 +47,7 @@
   end
 
   def quick_create
-    @problem = Problem.new(params[:problem])
+    @problem = Problem.new(problem_params)
     @problem.full_name = @problem.name if @problem.full_name == ''
     @problem.full_score = 100
     @problem.available = false
diff --git a/app/controllers/user_admin_controller.rb b/app/controllers/user_admin_controller.rb
--- a/app/controllers/user_admin_controller.rb
+++ b/app/controllers/user_admin_controller.rb
@@ -47,7 +47,7 @@
   end
 
   def create
-    @user = User.new(params[:user])
+    @user = User.new(user_params)
     @user.activated = true
     if @user.save
       flash[:notice] = 'User was successfully created.'
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -52,7 +52,7 @@
       redirect_to :controller => 'main', :action => 'login'
       return
     end
-    @user = User.new(params[:user])
+    @user = User.new(user_params)
     @user.password_confirmation = @user.password = User.random_password
     @user.activated = false
     if (@user.valid?) and (@user.save)
@@ -209,6 +209,10 @@
     #finally, we allow only admin
     admin_authorization
   end
-  
+
+  private
+    def user_params
+      params.require(:user).permit(:login, :full_name, :email)
+    end
 
 end