diff options
author | Santiago Pastorino <santiago@wyeworks.com> | 2012-10-12 00:50:20 -0200 |
---|---|---|
committer | Santiago Pastorino <santiago@wyeworks.com> | 2012-10-12 01:01:26 -0200 |
commit | bdd105d8b91c5d0881ab78e36a65a79fdca4a7fb (patch) | |
tree | 4a4057eccbf31f3231a5ebc593c04ea69a68fdf9 /actionpack/lib/action_controller/metal | |
parent | b91a90e49606719a65fecd7c9d703f45df7b7f73 (diff) | |
download | rails-bdd105d8b91c5d0881ab78e36a65a79fdca4a7fb.tar.gz rails-bdd105d8b91c5d0881ab78e36a65a79fdca4a7fb.tar.bz2 rails-bdd105d8b91c5d0881ab78e36a65a79fdca4a7fb.zip |
When executing permit with just a key that points to a hash, DO NOT allow all the hash
params.require(:person).permit(:projects_attributes) was returning
=> {"projects_attributes"=>{"0"=>{"name"=>"Project 1"}}}
When should return
=> {}
You should be doing ...
params.require(:person).permit(projects_attributes: :name)
to get just the projects attributes you want to allow
Diffstat (limited to 'actionpack/lib/action_controller/metal')
-rw-r--r-- | actionpack/lib/action_controller/metal/strong_parameters.rb | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb index 398454d39f..a6250f5d03 100644 --- a/actionpack/lib/action_controller/metal/strong_parameters.rb +++ b/actionpack/lib/action_controller/metal/strong_parameters.rb @@ -177,7 +177,10 @@ module ActionController filters.each do |filter| case filter when Symbol, String then - params[filter] = self[filter] if has_key?(filter) + if has_key?(filter) + value = self[filter] + params[filter] = value unless Hash === value + end keys.grep(/\A#{Regexp.escape(filter)}\(\di\)\z/) { |key| params[key] = self[key] } when Hash then self.slice(*filter.keys).each do |key, values| |