Remove protected_attributes gem

We do not enforce the rules, so removing it and switching the existing
annotations to strong_parameters does not make our situation worse.

app/controllers/suppliers_controller.rb

@@ -25,23 +25,23 @@ class SuppliersController < ApplicationController
     end
   end
 
-  def create    
-    @supplier = Supplier.new(params[:supplier])
+  def create
+    @supplier = Supplier.new(supplier_params)
     if @supplier.save
       flash[:notice] = I18n.t('suppliers.create.notice')
       redirect_to suppliers_path
     else
       render :action => 'new'
-    end 
+    end
   end
 
-  def edit    
+  def edit
     @supplier = Supplier.find(params[:id])
   end
-  
+
   def update
     @supplier = Supplier.find(params[:id])
-    if @supplier.update_attributes(params[:supplier])
+    if @supplier.update_attributes(supplier_params)
       flash[:notice] = I18n.t('suppliers.update.notice')
       redirect_to @supplier
     else
@@ -57,11 +57,21 @@ class SuppliersController < ApplicationController
     rescue => e
       flash[:error] = I18n.t('errors.general_msg', :msg => e.message)
       redirect_to @supplier
-  end  
-  
+  end
+
   # gives a list with all available shared_suppliers
   def shared_suppliers
     @shared_suppliers = SharedSupplier.all
   end
-  
+
+  private
+
+  def supplier_params
+    params
+      .require(:supplier)
+      .permit(:name, :address, :phone, :phone2, :fax, :email, :url, :contact_person, :customer_number,
+              :iban, :custom_fields, :delivery_days, :order_howto, :note,
+              :shared_supplier_id, :min_order_quantity, :shared_sync_method)
+  end
+
 end

app/controllers/tasks_controller.rb

@@ -17,7 +17,7 @@ class TasksController < ApplicationController
   end
 
   def create
-    @task = Task.new(params[:task])
+    @task = Task.new(task_params, current_user_id: current_user.id)
     if params[:periodic]
       @task.periodic_task_group = PeriodicTaskGroup.new
     end
@@ -44,6 +44,7 @@ class TasksController < ApplicationController
     task_group = @task.periodic_task_group
     was_periodic = @task.periodic?
     prev_due_date = @task.due_date
+    @task.current_user_id = current_user.id
     @task.attributes=(params[:task])
     if @task.errors.empty? && @task.save
       task_group.update_tasks_including(@task, prev_due_date) if params[:periodic]
@@ -111,4 +112,13 @@ class TasksController < ApplicationController
       redirect_to tasks_url, :alert => I18n.t('tasks.error_not_found')
     end
   end
+
+  private
+
+  def task_params
+    params
+      .require(:task)
+      .permit(:name, :description, :duration, :user_list, :required_users, :workgroup, :due_date, :done)
+  end
+
 end

app/models/supplier.rb

@@ -10,10 +10,6 @@ class Supplier < ApplicationRecord
   has_many :invoices
   belongs_to :shared_supplier  # for the sharedLists-App
 
-  include ActiveModel::MassAssignmentSecurity
-  attr_accessible :name, :address, :phone, :phone2, :fax, :email, :url, :contact_person, :customer_number, :iban, :custom_fields,
-                  :delivery_days, :order_howto, :note, :shared_supplier_id, :min_order_quantity, :shared_sync_method
-
   validates :name, :presence => true, :length => { :in => 4..30 }
   validates :phone, :presence => true, :length => { :in => 8..25 }
   validates :address, :presence => true, :length => { :in => 8..50 }

app/models/task.rb

@@ -11,10 +11,6 @@ class Task < ApplicationRecord
 
   attr_accessor :current_user_id
 
-  # form will send user in string. responsibilities will added later
-  include ActiveModel::MassAssignmentSecurity
-  attr_protected :users
-
   validates :name, :presence => true, :length => { :minimum => 3 }
   validates :required_users, :presence => true
   validates_numericality_of :duration, :required_users, :only_integer => true, :greater_than => 0

app/views/tasks/_form.html.haml

@@ -1,4 +1,3 @@
-= form.hidden_field :current_user_id
 = form.input :name
 = form.input :description, as: :text, input_html: {rows: 10}
 = form.input :duration, :as => :select, :collection => 1..3