Add config.action_controller.permit_all_attributes to bypass StrongParameters protection

author: Guillermo Iguaran <guilleiguaran@gmail.com> 2012-08-30 16:36:59 -0500
committer: Guillermo Iguaran <guilleiguaran@gmail.com> 2012-09-16 23:58:21 -0500
commit: 1aaf4490b29afc99cf19b18c4edbb1f28e6c37f5 (patch)
tree: 5901dbcaf12030a473edb6f463e8e4af9fe6391a
parent: 1e1bee3ab985e47fae49d9fd5d2ca946f5d9c533 (diff)
download: rails-1aaf4490b29afc99cf19b18c4edbb1f28e6c37f5.tar.gz
rails-1aaf4490b29afc99cf19b18c4edbb1f28e6c37f5.tar.bz2
rails-1aaf4490b29afc99cf19b18c4edbb1f28e6c37f5.zip
5 files changed, 43 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller.rb b/actionpack/lib/action_controller.rb
index e76dc954d9..1a13d7af29 100644
--- a/actionpack/lib/action_controller.rb
+++ b/actionpack/lib/action_controller.rb
@@ -2,6 +2,7 @@ require 'active_support/rails'
 require 'abstract_controller'
 require 'action_dispatch'
 require 'action_controller/metal/live'
+require 'action_controller/metal/strong_parameters'
 
 module ActionController
   extend ActiveSupport::Autoload
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
index b027901f28..8a2f63dfcd 100644
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -13,12 +13,13 @@ module ActionController
   end
 
   class Parameters < ActiveSupport::HashWithIndifferentAccess
+    cattr_accessor :permit_all_parameters, instance_accessor: false
     attr_accessor :permitted
     alias :permitted? :permitted
 
     def initialize(attributes = nil)
       super(attributes)
-      @permitted = false
+      @permitted = self.class.permit_all_parameters
     end
 
     def permit!
diff --git a/actionpack/lib/action_controller/railtie.rb b/actionpack/lib/action_controller/railtie.rb
index 3ecc105e22..d7e8194bf6 100644
--- a/actionpack/lib/action_controller/railtie.rb
+++ b/actionpack/lib/action_controller/railtie.rb
@@ -19,6 +19,10 @@ module ActionController
       ActionController::Helpers.helpers_path = app.helpers_paths
     end
 
+    initializer "action_controller.parameters_config" do |app|
+      ActionController::Parameters.permit_all_parameters = app.config.action_controller.delete(:permit_all_parameters)
+    end
+
     initializer "action_controller.set_configs" do |app|
       paths   = app.config.paths
       options = app.config.action_controller
diff --git a/actionpack/test/controller/parameters/parameters_permit_test.rb b/actionpack/test/controller/parameters/parameters_permit_test.rb
index f143e22d2e..7fe8e6051b 100644
--- a/actionpack/test/controller/parameters/parameters_permit_test.rb
+++ b/actionpack/test/controller/parameters/parameters_permit_test.rb
@@ -56,4 +56,18 @@ class ParametersPermitTest < ActiveSupport::TestCase
     @params.permit!
     assert_equal @params.permitted?, @params.dup.permitted?
   end
+
+  test "permitted takes a default value when Parameters.permit_all_parameters is set" do
+    begin
+      ActionController::Parameters.permit_all_parameters = true
+      params = ActionController::Parameters.new({ person: {
+        age: "32", name: { first: "David", last: "Heinemeier Hansson" }
+      }})
+
+      assert params.slice(:person).permitted?
+      assert params[:person][:name].permitted?
+    ensure
+      ActionController::Parameters.permit_all_parameters = false
+    end
+  end
 end
diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb
index cac9fa3525..ed51949b1e 100644
--- a/railties/test/application/configuration_test.rb
+++ b/railties/test/application/configuration_test.rb
@@ -560,6 +560,28 @@ module ApplicationTests
       assert_equal '{"title"=>"foo"}', last_response.body
     end
 
+    test "config.action_controller.permit_all_parameters = true" do
+      app_file 'app/controllers/posts_controller.rb', <<-RUBY
+      class PostsController < ActionController::Base
+        def create
+          render :text => params[:post].permitted? ? "permitted" : "forbidden"
+        end
+      end
+      RUBY
+
+      add_to_config <<-RUBY
+        routes.prepend do
+          resources :posts
+        end
+        config.action_controller.permit_all_parameters = true
+      RUBY
+
+      require "#{app_path}/config/environment"
+
+      post "/posts", {:post => {"title" =>"zomg"}}
+      assert_equal 'permitted', last_response.body
+    end
+
     test "config.action_dispatch.ignore_accept_header" do
       make_basic_app do |app|
         app.config.action_dispatch.ignore_accept_header = true
author	Guillermo Iguaran <guilleiguaran@gmail.com>	2012-08-30 16:36:59 -0500
committer	Guillermo Iguaran <guilleiguaran@gmail.com>	2012-09-16 23:58:21 -0500
commit	1aaf4490b29afc99cf19b18c4edbb1f28e6c37f5 (patch)
tree	5901dbcaf12030a473edb6f463e8e4af9fe6391a
parent	1e1bee3ab985e47fae49d9fd5d2ca946f5d9c533 (diff)
download	rails-1aaf4490b29afc99cf19b18c4edbb1f28e6c37f5.tar.gz rails-1aaf4490b29afc99cf19b18c4edbb1f28e6c37f5.tar.bz2 rails-1aaf4490b29afc99cf19b18c4edbb1f28e6c37f5.zip