fields_for_style needs to test for AC::Parameters

While iterating an AC::Parameters object, the object will mutate itself and stick AC::Parameters objects where there used to be hashes: https://github.com/rails/rails/blob/f57092ad728fa1de06c4f5fd9d09dcc2c4738fd9/actionpack/lib/action_controller/metal/strong_parameters.rb#L632 If you use `permit` after this iteration, the `fields_for_style` method wouldn't return true because the child objects are now AC::Parameters objects rather than Hashes. fixes #23701
author: Aaron Patterson <aaron.patterson@gmail.com> 2016-02-17 16:12:18 -0800
committer: Aaron Patterson <aaron.patterson@gmail.com> 2016-02-17 16:15:51 -0800
commit: 04b410f83350aa8a9b6f181cc7c37f2c2653300f (patch)
tree: 5d5efc45ebf86ac99483e084687dcc6695b9eed2
parent: f57092ad728fa1de06c4f5fd9d09dcc2c4738fd9 (diff)
download: rails-04b410f83350aa8a9b6f181cc7c37f2c2653300f.tar.gz
rails-04b410f83350aa8a9b6f181cc7c37f2c2653300f.tar.bz2
rails-04b410f83350aa8a9b6f181cc7c37f2c2653300f.zip
2 files changed, 22 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
index 89b4f12ef7..e17189f9f9 100644
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -602,7 +602,7 @@ module ActionController
       end
 
       def fields_for_style?
-        @parameters.all? { |k, v| k =~ /\A-?\d+\z/ && v.is_a?(Hash) }
+        @parameters.all? { |k, v| k =~ /\A-?\d+\z/ && (v.is_a?(Hash) || v.is_a?(Parameters)) }
       end
 
     private
diff --git a/actionpack/test/controller/parameters/parameters_permit_test.rb b/actionpack/test/controller/parameters/parameters_permit_test.rb
index 3299f2d9d0..96048e2868 100644
--- a/actionpack/test/controller/parameters/parameters_permit_test.rb
+++ b/actionpack/test/controller/parameters/parameters_permit_test.rb
@@ -27,6 +27,27 @@ class ParametersPermitTest < ActiveSupport::TestCase
     end
   end
 
+  def walk_permitted params
+    params.each do |k,v|
+      case v
+      when ActionController::Parameters
+        walk_permitted v
+      when Array
+        v.each { |x| walk_permitted v }
+      end
+    end
+  end
+
+  test 'iteration should not impact permit' do
+    hash = {"foo"=>{"bar"=>{"0"=>{"baz"=>"hello", "zot"=>"1"}}}}
+    params = ActionController::Parameters.new(hash)
+
+    walk_permitted params
+
+    sanitized = params[:foo].permit(bar: [:baz])
+    assert_equal({"0"=>{"baz"=>"hello"}}, sanitized[:bar].to_unsafe_h)
+  end
+
   test 'if nothing is permitted, the hash becomes empty' do
     params = ActionController::Parameters.new(id: '1234')
     permitted = params.permit
author	Aaron Patterson <aaron.patterson@gmail.com>	2016-02-17 16:12:18 -0800
committer	Aaron Patterson <aaron.patterson@gmail.com>	2016-02-17 16:15:51 -0800
commit	04b410f83350aa8a9b6f181cc7c37f2c2653300f (patch)
tree	5d5efc45ebf86ac99483e084687dcc6695b9eed2
parent	f57092ad728fa1de06c4f5fd9d09dcc2c4738fd9 (diff)
download	rails-04b410f83350aa8a9b6f181cc7c37f2c2653300f.tar.gz rails-04b410f83350aa8a9b6f181cc7c37f2c2653300f.tar.bz2 rails-04b410f83350aa8a9b6f181cc7c37f2c2653300f.zip