feat(event_discounts ): add strong params

app/controllers/event_discounts_controller.rb

@@ -6,9 +6,9 @@ class EventDiscountsController < ApplicationController
   before_action :authenticate_event_editor!, except: [:index]
 
   def create
-    params[:event_discount][:event_id] = current_event.id
+    event_discount_params[:event_id] = current_event.id
 
-    render JsonResp.new(params[:event_discount]) do |_data|
+    render JsonResp.new(event_discount_params) do |_data|
       requires(:code, :name).as_string
       requires(:event_id, :percent).as_int
     end.when_valid do |data|
@@ -23,7 +23,7 @@ class EventDiscountsController < ApplicationController
   def update
     discount = Hamster.to_ruby(
       Psql.execute(
-        Qexpr.new.update(:event_discounts, params[:event_discount])
+        Qexpr.new.update(:event_discounts, event_discount_params)
         .where('id=$id', id: params[:id])
         .returning('*')
       ).first
@@ -38,4 +38,10 @@ class EventDiscountsController < ApplicationController
         .where('event_discounts.id=$id', id: params['id'])
     )
   end
+
+  private
+  
+  def event_discount_params
+    params.required(:event_discount).permit(:code, :event_id, :name, :percent)
+  end
 end

app/models/event_discount.rb

@@ -2,8 +2,6 @@
 
 # License: AGPL-3.0-or-later WITH Web-Template-Output-Additional-Permission-3.0-or-later
 class EventDiscount < ApplicationRecord
-  # TODO
-  # attr_accessible \
   # :code,
   # :event_id,
   # :name,