added strong params to comments_controller to prevent users from editing attributes which are not intended to be edited, also created specs to test this behaviour

app/controllers/comments_controller.rb

@@ -55,7 +55,7 @@ class CommentsController < ApplicationController
 
   # PATCH/PUT /comments/1.json
   def update
-    if @comment.update(comment_params_without_request_id)
+    if @comment.update(comment_params_for_update)
       render :show, status: :ok, location: @comment
     else
       render json: @comment.errors, status: :unprocessable_entity
@@ -77,6 +77,10 @@ class CommentsController < ApplicationController
     @comment = Comment.find(params[:id])
   end
 
+  def comment_params_for_update
+    params.require(:comment).permit(:text)
+  end
+
   def comment_params_without_request_id
     comment_params.except :request_id
   end