feat(profiles): add strong params

app/controllers/profiles_controller.rb

@@ -47,7 +47,7 @@ class ProfilesController < ApplicationController
                else
                  current_user.profile
                end
-    @profile.update_attributes(params[:profile])
+    @profile.update_attributes(profile_params)
     json_saved @profile, 'Profile updated'
   end
 
@@ -69,4 +69,10 @@ class ProfilesController < ApplicationController
       redirect_to root_url
     end
   end
+
+  private
+
+  def profile_params
+    params.require(:profile).permit(:registered, :mini_bio, :first_name, :last_name, :name, :phone, :address, :email, :city, :state_code, :zip_code, :privacy_settings, :picture, :anonymous, :city_state, :user_id)
+  end
 end

app/models/profile.rb

@@ -2,24 +2,22 @@
 
 # License: AGPL-3.0-or-later WITH Web-Template-Output-Additional-Permission-3.0-or-later
 class Profile < ApplicationRecord
-  # TODO
-  # attr_accessible \
-  #   :registered, # bool
-  #   :mini_bio,
-  #   :first_name, # str
-  #   :last_name, # str
-  #   :name,
-  #   :phone, # str
-  #   :address, # str
-  #   :email, # str
-  #   :city, # str
-  #   :state_code, # str (eg. CA)
-  #   :zip_code, # str
-  #   :privacy_settings, # text [str]: XXX deprecated
-  #   :picture, # str: either their social network pic or a stored pic on S3
-  #   :anonymous, # bool: negates all privacy_settings
-  #   :city_state,
-  #   :user_id
+  # :registered, # bool
+  # :mini_bio,
+  # :first_name, # str
+  # :last_name, # str
+  # :name,
+  # :phone, # str
+  # :address, # str
+  # :email, # str
+  # :city, # str
+  # :state_code, # str (eg. CA)
+  # :zip_code, # str
+  # :privacy_settings, # text [str]: XXX deprecated
+  # :picture, # str: either their social network pic or a stored pic on S3
+  # :anonymous, # bool: negates all privacy_settings
+  # :city_state,
+  # :user_id
 
   validates :email, format: { with: Email::Regex }, allow_blank: true