Extract permitted params constant in api controllers

app/controllers/api/v1/accounts/credentials_controller.rb

@@ -5,6 +5,19 @@ class Api::V1::Accounts::CredentialsController < Api::BaseController
   before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, only: [:update]
   before_action :require_user!
 
+  PERMITTED_PARAMS = [
+    :avatar,
+    :bot,
+    :discoverable,
+    :display_name,
+    :header,
+    :hide_collections,
+    :indexable,
+    :locked,
+    :note,
+    fields_attributes: [:name, :value],
+  ].freeze
+
   def show
     @account = current_account
     render json: @account, serializer: REST::CredentialAccountSerializer
@@ -23,18 +36,9 @@ class Api::V1::Accounts::CredentialsController < Api::BaseController
   private
 
   def account_params
-    params.permit(
+    params
-      :display_name,
+      .slice(*PERMITTED_PARAMS)
-      :note,
+      .permit(*PERMITTED_PARAMS)
-      :avatar,
-      :header,
-      :locked,
-      :bot,
-      :discoverable,
-      :hide_collections,
-      :indexable,
-      fields_attributes: [:name, :value]
-    )
   end
 
   def user_params

app/controllers/api/v1/admin/account_actions_controller.rb

@@ -3,6 +3,14 @@
 class Api::V1::Admin::AccountActionsController < Api::BaseController
   include Authorization
 
+  PERMITTED_PARAMS = %i(
+    report_id
+    send_email_notification
+    text
+    type
+    warning_preset_id
+  ).freeze
+
   before_action -> { authorize_if_got_token! :'admin:write', :'admin:write:accounts' }
   before_action :set_account
 
@@ -26,12 +34,8 @@ class Api::V1::Admin::AccountActionsController < Api::BaseController
   end
 
   def resource_params
-    params.permit(
+    params
-      :type,
+      .slice(*PERMITTED_PARAMS)
-      :report_id,
+      .permit(*PERMITTED_PARAMS)
-      :warning_preset_id,
-      :text,
-      :send_email_notification
-    )
   end
 end

app/controllers/api/v1/admin/accounts_controller.rb

@@ -108,7 +108,9 @@ class Api::V1::Admin::AccountsController < Api::BaseController
   end
 
   def filter_params
-    params.permit(*FILTER_PARAMS)
+    params
+      .slice(*FILTER_PARAMS)
+      .permit(*FILTER_PARAMS)
   end
 
   def translated_filter_params

app/controllers/api/v1/admin/domain_blocks_controller.rb

@@ -14,6 +14,15 @@ class Api::V1::Admin::DomainBlocksController < Api::BaseController
   after_action :verify_authorized
   after_action :insert_pagination_headers, only: :index
 
+  PERMITTED_PARAMS = %i(
+    obfuscate
+    private_comment
+    public_comment
+    reject_media
+    reject_reports
+    severity
+  ).freeze
+
   def index
     authorize :domain_block, :index?
     render json: @domain_blocks, each_serializer: REST::Admin::DomainBlockSerializer
@@ -72,7 +81,9 @@ class Api::V1::Admin::DomainBlocksController < Api::BaseController
   end
 
   def domain_block_params
-    params.permit(:severity, :reject_media, :reject_reports, :private_comment, :public_comment, :obfuscate)
+    params
+      .slice(*PERMITTED_PARAMS)
+      .permit(*PERMITTED_PARAMS)
   end
 
   def next_path

app/controllers/api/v1/admin/ip_blocks_controller.rb

@@ -14,6 +14,13 @@ class Api::V1::Admin::IpBlocksController < Api::BaseController
   after_action :verify_authorized
   after_action :insert_pagination_headers, only: :index
 
+  PERMITTED_PARAMS = %i(
+    comment
+    expires_in
+    ip
+    severity
+  ).freeze
+
   def index
     authorize :ip_block, :index?
     render json: @ip_blocks, each_serializer: REST::Admin::IpBlockSerializer
@@ -56,7 +63,9 @@ class Api::V1::Admin::IpBlocksController < Api::BaseController
   end
 
   def resource_params
-    params.permit(:ip, :severity, :comment, :expires_in)
+    params
+      .slice(*PERMITTED_PARAMS)
+      .permit(*PERMITTED_PARAMS)
   end
 
   def next_path

app/controllers/api/v1/lists_controller.rb

@@ -11,6 +11,12 @@ class Api::V1::ListsController < Api::BaseController
     render json: { error: e.to_s }, status: 422
   end
 
+  PERMITTED_PARAMS = %i(
+    exclusive
+    replies_policy
+    title
+  ).freeze
+
   def index
     @lists = List.where(account: current_account).all
     render json: @lists, each_serializer: REST::ListSerializer
@@ -42,6 +48,8 @@ class Api::V1::ListsController < Api::BaseController
   end
 
   def list_params
-    params.permit(:title, :replies_policy, :exclusive)
+    params
+      .slice(*PERMITTED_PARAMS)
+      .permit(*PERMITTED_PARAMS)
   end
 end

app/controllers/api/v1/reports_controller.rb

@@ -6,6 +6,17 @@ class Api::V1::ReportsController < Api::BaseController
 
   override_rate_limit_headers :create, family: :reports
 
+  PERMITTED_PARAMS = [
+    :account_id,
+    :category,
+    :comment,
+    :forward,
+    :rule_ids,
+    forward_to_domains: [],
+    rule_ids: [],
+    status_ids: [],
+  ].freeze
+
   def create
     @report = ReportService.new.call(
       current_account,
@@ -23,6 +34,6 @@ class Api::V1::ReportsController < Api::BaseController
   end
 
   def report_params
-    params.permit(:account_id, :comment, :category, :forward, forward_to_domains: [], status_ids: [], rule_ids: [])
+    params.permit(*PERMITTED_PARAMS)
   end
 end

app/controllers/api/v1/statuses/reblogs_controller.rb

@@ -11,6 +11,10 @@ class Api::V1::Statuses::ReblogsController < Api::V1::Statuses::BaseController
 
   override_rate_limit_headers :create, family: :statuses
 
+  PERMITTED_PARAMS = %i(
+    visibility
+  ).freeze
+
   def create
     with_redis_lock("reblog:#{current_account.id}:#{@reblog.id}") do
       @status = ReblogService.new.call(current_account, @reblog, reblog_params)
@@ -50,6 +54,8 @@ class Api::V1::Statuses::ReblogsController < Api::V1::Statuses::BaseController
   end
 
   def reblog_params
-    params.permit(:visibility)
+    params
+      .slice(*PERMITTED_PARAMS)
+      .permit(*PERMITTED_PARAMS)
   end
 end

app/controllers/api/v2/filters/keywords_controller.rb

@@ -8,6 +8,11 @@ class Api::V2::Filters::KeywordsController < Api::BaseController
   before_action :set_keywords, only: :index
   before_action :set_keyword, only: [:show, :update, :destroy]
 
+  PERMITTED_PARAMS = %i(
+    keyword
+    whole_word
+  ).freeze
+
   def index
     render json: @keywords, each_serializer: REST::FilterKeywordSerializer
   end
@@ -45,6 +50,8 @@ class Api::V2::Filters::KeywordsController < Api::BaseController
   end
 
   def resource_params
-    params.permit(:keyword, :whole_word)
+    params
+      .slice(*PERMITTED_PARAMS)
+      .permit(*PERMITTED_PARAMS)
   end
 end

app/controllers/api/v2/filters/statuses_controller.rb

@@ -8,6 +8,10 @@ class Api::V2::Filters::StatusesController < Api::BaseController
   before_action :set_status_filters, only: :index
   before_action :set_status_filter, only: [:show, :destroy]
 
+  PERMITTED_PARAMS = %i(
+    status_id
+  ).freeze
+
   def index
     render json: @status_filters, each_serializer: REST::FilterStatusSerializer
   end
@@ -39,6 +43,8 @@ class Api::V2::Filters::StatusesController < Api::BaseController
   end
 
   def resource_params
-    params.permit(:status_id)
+    params
+      .slice(*PERMITTED_PARAMS)
+      .permit(*PERMITTED_PARAMS)
   end
 end

app/controllers/api/v2/search_controller.rb

@@ -5,6 +5,17 @@ class Api::V2::SearchController < Api::BaseController
 
   RESULTS_LIMIT = 20
 
+  SEARCH_PARAMS = %i(
+    account_id
+    following
+    max_id
+    min_id
+    offset
+    q
+    resolve
+    type
+  ).freeze
+
   before_action -> { authorize_if_got_token! :read, :'read:search' }
   before_action :validate_search_params!
 
@@ -63,6 +74,7 @@ class Api::V2::SearchController < Api::BaseController
   end
 
   def search_params
-    params.permit(:type, :offset, :min_id, :max_id, :account_id, :following)
+    params
+      .permit(*SEARCH_PARAMS)
   end
 end