cleanup of passed parameters, user_id and user_type are extracted from current user and not used from the passed POST values..

app/assets/javascripts/editor.js

@@ -510,7 +510,6 @@ $(function() {
       var jqxhr = $.ajax({
         data: {
           comment: {
-            user_id: user_id,
             file_id: file_id,
             row: row,
             column: 0,
@@ -1014,7 +1013,6 @@ $(function() {
       url: '/request_for_comments',
       data: {
         request_for_comment: {
-          requestor_user_id: user_id,
           exercise_id: exercise_id,
           file_id: file_id,
           "requested_at(1i)": 2015, // these are the timestamp values that the request handler demands

app/controllers/comments_controller.rb

@@ -75,7 +75,7 @@ class CommentsController < ApplicationController
   # POST /comments
   # POST /comments.json
   def create
-    @comment = Comment.new(comment_params.merge(user_type: current_user.class.name))
+    @comment = Comment.new(comment_params)
 
     respond_to do |format|
       if @comment.save
@@ -135,6 +135,6 @@ class CommentsController < ApplicationController
     def comment_params
       #params.require(:comment).permit(:user_id, :file_id, :row, :column, :text)
       # fuer production mode, damit böse menschen keine falsche user_id uebergeben:
-      params.require(:comment).permit(:file_id, :row, :column, :text).merge(user_id: current_user.id)
+      params.require(:comment).permit(:file_id, :row, :column, :text).merge(user_id: current_user.id, user_type: current_user.class.name)
     end
 end

app/controllers/request_for_comments_controller.rb

@@ -66,6 +66,6 @@ class RequestForCommentsController < ApplicationController
 
     # Never trust parameters from the scary internet, only allow the white list through.
     def request_for_comment_params
-      params.require(:request_for_comment).permit(:requestor_user_id, :exercise_id, :file_id, :requested_at)
+      params.require(:request_for_comment).permit(:exercise_id, :file_id, :requested_at).merge(requestor_user_id: current_user.id, user_type: current_user.class.name)
     end
 end