From 8f1b33cabd224daa507fbef9330f11ffa2cfe0b5 Mon Sep 17 00:00:00 2001
From: Luis Castro <luiscastroem@gmail.com>
Date: Tue, 6 Aug 2019 16:07:18 +0200
Subject: [PATCH] feat(payments): add strong params

---
 app/controllers/nonprofits/payments_controller.rb | 8 +++++++-
 app/models/payment_import.rb                      | 3 ++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/app/controllers/nonprofits/payments_controller.rb b/app/controllers/nonprofits/payments_controller.rb
index e579fad9..75665c39 100644
--- a/app/controllers/nonprofits/payments_controller.rb
+++ b/app/controllers/nonprofits/payments_controller.rb
@@ -45,7 +45,7 @@ module Nonprofits
 
     def update
       @payment = current_nonprofit.payments.find(params[:id])
-      @payment.update_attributes(params[:payment])
+      @payment.update_attributes(payment_params)
       json_saved @payment
     end
 
@@ -76,5 +76,11 @@ module Nonprofits
       PaymentMailer.resend_admin_receipt(params[:id], current_user.id)
       render json: {}
     end
+
+    private
+
+    def payment_params
+      params.require(:payment).permit(:towards, :gross_amount, :refund_total, :fee_total, :kind, :date)
+    end
   end # class PaymentsController
 end # module Nonprofits
diff --git a/app/models/payment_import.rb b/app/models/payment_import.rb
index 4d9fa279..244c9e69 100644
--- a/app/models/payment_import.rb
+++ b/app/models/payment_import.rb
@@ -2,7 +2,8 @@
 
 # License: AGPL-3.0-or-later WITH Web-Template-Output-Additional-Permission-3.0-or-later
 class PaymentImport < ApplicationRecord
-  # attr_accessible :nonprofit, :user
+  # :nonprofit,
+  # :user
   has_and_belongs_to_many :donations
   belongs_to :nonprofit
   belongs_to :user