Report an error if a bogus limit value is passed to a notes API call

[rails.git] / app / controllers / message_controller.rb

diff --git a/app/controllers/message_controller.rb b/app/controllers/message_controller.rb
index 8d03811a9d48b9c5335b5d74df5e22f8700635ad..38c9b2f3db05b2594a9fe43a100a1e0b6f3dc6c8 100644 (file)
--- a/app/controllers/message_controller.rb
+++ b/app/controllers/message_controller.rb
@@ -17,7 +17,7 @@ class MessageController < ApplicationController
       if @user.sent_messages.where("sent_on >= ?", Time.now.getutc - 1.hour).count >= MAX_MESSAGES_PER_HOUR
         flash[:error] = t 'message.new.limit_exceeded'
       else
-        @message = Message.new(params[:message])
+        @message = Message.new(message_params)
         @message.to_user_id = @this_user.id
         @message.from_user_id = @user.id
         @message.sent_on = Time.now.getutc
@@ -127,4 +127,10 @@ class MessageController < ApplicationController
     @title = t'message.no_such_message.title'
     render :action => 'no_such_message', :status => :not_found
   end
+private
+  ##
+  # return permitted message parameters
+  def message_params
+    params.require(:message).permit(:title, :body)
+  end
 end