aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSean Griffin <sean@seantheprogrammer.com>2016-04-15 09:08:47 -0600
committerSean Griffin <sean@seantheprogrammer.com>2016-04-15 09:09:50 -0600
commit94a1edbc023fd82bf96705d86abc85d2eab14ba3 (patch)
tree762f16eca798d76e047640b6d7a85f22c2ba0b48
parentb1f4c4bbcfe31999636130dea478c076ec595fe7 (diff)
downloadrails-94a1edbc023fd82bf96705d86abc85d2eab14ba3.tar.gz
rails-94a1edbc023fd82bf96705d86abc85d2eab14ba3.tar.bz2
rails-94a1edbc023fd82bf96705d86abc85d2eab14ba3.zip
Filter scalar values when params permit hashes or arrays
This brings the behavior more inline with other similar cases, such as receiving a hash when an array of scalars was expected. Prior to this commit, the key would be present, but the value would be `nil`
-rw-r--r--actionpack/lib/action_controller/metal/strong_parameters.rb6
-rw-r--r--actionpack/test/controller/parameters/parameters_permit_test.rb9
2 files changed, 14 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
index 64672de57e..f9b80dd805 100644
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -756,6 +756,10 @@ module ActionController
end
end
+ def non_scalar?(value)
+ value.is_a?(Array) || value.is_a?(Parameters)
+ end
+
EMPTY_ARRAY = []
def hash_filter(params, filter)
filter = filter.with_indifferent_access
@@ -770,7 +774,7 @@ module ActionController
array_of_permitted_scalars?(self[key]) do |val|
params[key] = val
end
- else
+ elsif non_scalar?(value)
# Declaration { user: :name } or { user: [:name, :age, { address: ... }] }.
params[key] = each_element(value) do |element|
element.permit(*Array.wrap(filter[key]))
diff --git a/actionpack/test/controller/parameters/parameters_permit_test.rb b/actionpack/test/controller/parameters/parameters_permit_test.rb
index 96048e2868..b75eb0e3bf 100644
--- a/actionpack/test/controller/parameters/parameters_permit_test.rb
+++ b/actionpack/test/controller/parameters/parameters_permit_test.rb
@@ -360,4 +360,13 @@ class ParametersPermitTest < ActiveSupport::TestCase
assert @params.include? 'person'
assert_not @params.include? :gorilla
end
+
+ test "scalar values should be filtered when array or hash is specified" do
+ params = ActionController::Parameters.new(foo: "bar")
+
+ assert params.permit(:foo).has_key?(:foo)
+ refute params.permit(foo: []).has_key?(:foo)
+ refute params.permit(foo: [:bar]).has_key?(:foo)
+ refute params.permit(foo: :bar).has_key?(:foo)
+ end
end