diff --git a/app/controllers/event_discounts_controller.rb b/app/controllers/event_discounts_controller.rb
index c696d872..103c8b57 100644
--- a/app/controllers/event_discounts_controller.rb
+++ b/app/controllers/event_discounts_controller.rb
@@ -6,9 +6,9 @@ class EventDiscountsController < ApplicationController
   before_action :authenticate_event_editor!, except: [:index]
 
   def create
-    params[:event_discount][:event_id] = current_event.id
+    event_discount_params[:event_id] = current_event.id
 
-    render JsonResp.new(params[:event_discount]) do |_data|
+    render JsonResp.new(event_discount_params) do |_data|
       requires(:code, :name).as_string
       requires(:event_id, :percent).as_int
     end.when_valid do |data|
@@ -23,7 +23,7 @@ class EventDiscountsController < ApplicationController
   def update
     discount = Hamster.to_ruby(
       Psql.execute(
-        Qexpr.new.update(:event_discounts, params[:event_discount])
+        Qexpr.new.update(:event_discounts, event_discount_params)
         .where('id=$id', id: params[:id])
         .returning('*')
       ).first
@@ -38,4 +38,10 @@ class EventDiscountsController < ApplicationController
         .where('event_discounts.id=$id', id: params['id'])
     )
   end
+
+  private
+  
+  def event_discount_params
+    params.required(:event_discount).permit(:code, :event_id, :name, :percent)
+  end
 end
diff --git a/app/models/event_discount.rb b/app/models/event_discount.rb
index 7f7d9e15..cf6d7a1e 100644
--- a/app/models/event_discount.rb
+++ b/app/models/event_discount.rb
@@ -2,12 +2,10 @@
 
 # License: AGPL-3.0-or-later WITH Web-Template-Output-Additional-Permission-3.0-or-later
 class EventDiscount < ApplicationRecord
-  # TODO
-  # attr_accessible \
-  #   :code,
-  #   :event_id,
-  #   :name,
-  #   :percent
+  # :code,
+  # :event_id,
+  # :name,
+  # :percent
 
   belongs_to :event
   has_many :tickets