diff options
| author | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-26 18:00:05 -0800 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2016-01-26 18:00:49 -0800 |
| commit | 00285e7cf75c96553719072a27c27e4ab7d25b40 (patch) | |
| tree | 3a5f8f27e6122c9b7f93c43fc720de34e0e3d6bc | |
| parent | 9777a97ffaedcec9b95cb1678e4c74b7cac514ea (diff) | |
| download | rails-00285e7cf75c96553719072a27c27e4ab7d25b40.tar.gz rails-00285e7cf75c96553719072a27c27e4ab7d25b40.tar.bz2 rails-00285e7cf75c96553719072a27c27e4ab7d25b40.zip | |
fix permitted? conditional for `render` calls
| -rw-r--r-- | actionpack/lib/abstract_controller/rendering.rb | 9 | ||||
| -rw-r--r-- | actionpack/test/controller/render_test.rb | 11 |
2 files changed, 17 insertions, 3 deletions
diff --git a/actionpack/lib/abstract_controller/rendering.rb b/actionpack/lib/abstract_controller/rendering.rb index 841a4c07ad..e765d73ce4 100644 --- a/actionpack/lib/abstract_controller/rendering.rb +++ b/actionpack/lib/abstract_controller/rendering.rb @@ -82,9 +82,12 @@ module AbstractController # <tt>render :file => "foo/bar"</tt>. # :api: plugin def _normalize_args(action=nil, options={}) - if action.respond_to?(:permitted?) && action.permitted? - raise ArgumentError, "render parameters are not permitted" - action + if action.respond_to?(:permitted?) + if action.permitted? + action + else + raise ArgumentError, "render parameters are not permitted" + end elsif action.is_a?(Hash) action else diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb index db73de6010..f205b96ce8 100644 --- a/actionpack/test/controller/render_test.rb +++ b/actionpack/test/controller/render_test.rb @@ -66,6 +66,10 @@ class TestController < ActionController::Base render params[:id] # => String, AC:Params end + def dynamic_render_permit + render params[:id].permit(:file) + end + def dynamic_render_with_file # This is extremely bad, but should be possible to do. file = params[:id] # => String, AC:Params @@ -273,6 +277,13 @@ class ExpiresInRenderTest < ActionController::TestCase end end + def test_permitted_dynamic_render_file_hash + assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb')) + response = get :dynamic_render_permit, { id: { file: '../\\../test/abstract_unit.rb' } } + assert_equal File.read(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb')), + response.body + end + def test_dynamic_render_file_hash assert_raises ArgumentError do get :dynamic_render, params: { id: { file: '../\\../test/abstract_unit.rb' } } |