From 2b5f7394dd27b55b12768afe38275b7f76e21d3f Mon Sep 17 00:00:00 2001
From: baarkerlounger <db@slothlife.xyz>
Date: Wed, 13 Oct 2021 14:12:06 +0100
Subject: [PATCH] Be stricter about the params we allow mass updates on

---
 app/controllers/case_logs_controller.rb | 2 +-
 app/models/case_log.rb                  | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/controllers/case_logs_controller.rb b/app/controllers/case_logs_controller.rb
index f0f3d587e..dbc9df1d6 100644
--- a/app/controllers/case_logs_controller.rb
+++ b/app/controllers/case_logs_controller.rb
@@ -90,6 +90,6 @@ private
   def create_params
     return {} unless params[:case_log]
 
-    params.require(:case_log).permit(CaseLog.new.attributes.keys)
+    params.require(:case_log).permit(CaseLog.editable_fields)
   end
 end
diff --git a/app/models/case_log.rb b/app/models/case_log.rb
index 74b1187cd..bcbbc432a 100644
--- a/app/models/case_log.rb
+++ b/app/models/case_log.rb
@@ -47,4 +47,8 @@ class CaseLog < ApplicationRecord
     mandatory_fields = attributes.except(*AUTOGENERATED_FIELDS)
     mandatory_fields.none? { |_key, val| val.nil? }
   end
+
+  def self.editable_fields
+    attribute_names - AUTOGENERATED_FIELDS
+  end
 end