adds support for arbitrary hashes in strong parameters

author: Xavier Noria <fxn@hashref.com> 2016-11-08 09:58:58 +0100
committer: Xavier Noria <fxn@hashref.com> 2016-11-11 23:31:50 +0100
commit: e86524c0c5a26ceec92895c830d1355ae47a7034 (patch)
tree: 35bed8b96f65678e5da98af61262dc0f4368bd91 /actionpack/lib/action_controller
parent: a5e933410dcbf097c5f180ec7ce9b3567a9e3514 (diff)
download: rails-e86524c0c5a26ceec92895c830d1355ae47a7034.tar.gz
rails-e86524c0c5a26ceec92895c830d1355ae47a7034.tar.bz2
rails-e86524c0c5a26ceec92895c830d1355ae47a7034.zip
1 files changed, 45 insertions, 0 deletions
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
index 98aacd53ab..fc9cec1e33 100644
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -334,6 +334,15 @@ module ActionController
     #   params = ActionController::Parameters.new(tags: ['rails', 'parameters'])
     #   params.permit(tags: [])
     #
+    # Sometimes it is not possible or convenient to declare the valid keys of
+    # a hash parameter or its internal structure. Just map to an empty hash:
+    #
+    #   params.permit(preferences: {})
+    #
+    # but be careful because this opens the door to arbitrary input. In this
+    # case, +permit+ ensures values in the returned structure are permitted
+    # scalars and filters out anything else.
+    #
     # You can also use +permit+ on nested parameters, like:
     #
     #   params = ActionController::Parameters.new({
@@ -766,6 +775,7 @@ module ActionController
       end
 
       EMPTY_ARRAY = []
+      EMPTY_HASH  = {}
       def hash_filter(params, filter)
         filter = filter.with_indifferent_access
 
@@ -779,6 +789,11 @@ module ActionController
             array_of_permitted_scalars?(self[key]) do |val|
               params[key] = val
             end
+          elsif filter[key] == EMPTY_HASH
+            # Declaration { preferences: {} }
+            if value.is_a?(Parameters)
+              params[key] = permit_any_in_parameters(value)
+            end
           elsif non_scalar?(value)
             # Declaration { user: :name } or { user: [:name, :age, { address: ... }] }.
             params[key] = each_element(value) do |element|
@@ -788,6 +803,36 @@ module ActionController
         end
       end
 
+      def permit_any_in_parameters(params)
+        self.class.new.tap do |sanitized|
+          params.each do |key, value|
+            if permitted_scalar?(value)
+              sanitized[key] = value
+            elsif value.is_a?(Array)
+              sanitized[key] = permit_any_in_array(value)
+            elsif value.is_a?(Parameters)
+              sanitized[key] = permit_any_in_parameters(value)
+            else
+              # Filter this one out.
+            end
+          end
+        end
+      end
+
+      def permit_any_in_array(array)
+        [].tap do |sanitized|
+          array.each do |element|
+            if permitted_scalar?(element)
+              sanitized << element
+            elsif element.is_a?(Parameters)
+              sanitized << permit_any_in_parameters(element)
+            else
+              # Filter this one out.
+            end
+          end
+        end
+      end
+
       def initialize_copy(source)
         super
         @parameters = @parameters.dup
author	Xavier Noria <fxn@hashref.com>	2016-11-08 09:58:58 +0100
committer	Xavier Noria <fxn@hashref.com>	2016-11-11 23:31:50 +0100
commit	e86524c0c5a26ceec92895c830d1355ae47a7034 (patch)
tree	35bed8b96f65678e5da98af61262dc0f4368bd91 /actionpack/lib/action_controller
parent	a5e933410dcbf097c5f180ec7ce9b3567a9e3514 (diff)
download	rails-e86524c0c5a26ceec92895c830d1355ae47a7034.tar.gz rails-e86524c0c5a26ceec92895c830d1355ae47a7034.tar.bz2 rails-e86524c0c5a26ceec92895c830d1355ae47a7034.zip