diff options
author | schneems <richard.schneeman@gmail.com> | 2016-01-19 11:45:34 -0600 |
---|---|---|
committer | schneems <richard.schneeman@gmail.com> | 2016-01-19 12:05:44 -0600 |
commit | 66d705b3e7c03f806f7481e0e6a1f157dcf86f83 (patch) | |
tree | eb9ebf1e2adb8d59f657116bf2c298185cad936a | |
parent | 3ea4476942d2ba5ddc0d3b2d1f3730455661b06a (diff) | |
download | rails-66d705b3e7c03f806f7481e0e6a1f157dcf86f83.tar.gz rails-66d705b3e7c03f806f7481e0e6a1f157dcf86f83.tar.bz2 rails-66d705b3e7c03f806f7481e0e6a1f157dcf86f83.zip |
[close #23084] Deprecated StrongParameters
We can provide a more flexible upgrade experience by warning users they are using unsafe methods instead of forcing the safe API by deprecating before removal. This PR provides this functionality.
-rw-r--r-- | actionpack/lib/action_controller/metal/strong_parameters.rb | 16 | ||||
-rw-r--r-- | actionpack/test/controller/required_params_test.rb | 6 |
2 files changed, 22 insertions, 0 deletions
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb index 5cbf4157a4..043f69b7bc 100644 --- a/actionpack/lib/action_controller/metal/strong_parameters.rb +++ b/actionpack/lib/action_controller/metal/strong_parameters.rb @@ -580,6 +580,22 @@ module ActionController dup end + def method_missing(method_sym, *args, &block) + if @parameters.respond_to?(method_sym) + message = <<-DEPRECATE.squish + Method #{ method_sym } is deprecated and will be removed in Rails 5.1, as `ActionController::Parameters` no longer inherit from + hash. Using this deprecated behavior exposes potential security problems. if you continue to use this method + you may be creating a security vulunerability in your app that can be exploited. Instead, consider using one + of these public methods that will not be deprecated: + #{ public_methods.inspect } + DEPRECATE + ActiveSupport::Deprecation.warn(message) + @parameters.public_send(method_sym, *args, &block) + else + super + end + end + protected def permitted=(new_permitted) @permitted = new_permitted diff --git a/actionpack/test/controller/required_params_test.rb b/actionpack/test/controller/required_params_test.rb index 168f64ce41..129a713564 100644 --- a/actionpack/test/controller/required_params_test.rb +++ b/actionpack/test/controller/required_params_test.rb @@ -65,4 +65,10 @@ class ParametersRequireTest < ActiveSupport::TestCase .require([:first_name, :title]) end end + + test "Deprecated method are deprecated" do + assert_deprecated do + ActionController::Parameters.new(foo: "bar").merge!({bar: "foo"}) + end + end end |