set activerecord whitelist_attributes to true

3 files changed, 10 insertions, 1 deletions

diff --git a/config/application.rb b/config/application.rb
index ad41f19657f..27de3fa2436 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -39,6 +39,12 @@ module Gitlab
     # Configure sensitive parameters which will be filtered from the log file.
     config.filter_parameters += [:password]
 
+    # Enforce whitelist mode for mass assignment.
+    # This will create an empty whitelist of attributes available for mass-assignment for all models
+    # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
+    # parameters by using an attr_accessible or attr_protected declaration.
+    config.active_record.whitelist_attributes = true
+
     # Enable the asset pipeline
     config.assets.enabled = true
 
diff --git a/config/environments/development.rb b/config/environments/development.rb
index 87b095e27a1..38400d17c8b 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -33,7 +33,7 @@ Gitlab::Application.configure do
 
   # Raise exception on mass assignment protection for Active Record models
   config.active_record.mass_assignment_sanitizer = :strict
-    
+
   # Log the query plan for queries taking more than this (works
   # with SQLite, MySQL, and PostgreSQL)
   config.active_record.auto_explain_threshold_in_seconds = 0.5
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 1e7765d9719..f5816e42b7f 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -34,6 +34,9 @@ Gitlab::Application.configure do
   # like if you have constraints or database-specific column types
   # config.active_record.schema_format = :sql
 
+  # Raise exception on mass assignment protection for Active Record models
+  # config.active_record.mass_assignment_sanitizer = :strict
+
   # Print deprecation notices to the stderr
   config.active_support.deprecation = :stderr