Add config.action_controller.permit_all_attributes to bypass StrongParameters protection

3 files changed, 7 insertions, 1 deletions

diff --git a/actionpack/lib/action_controller.rb b/actionpack/lib/action_controller.rb
index e76dc954d9..1a13d7af29 100644
--- a/actionpack/lib/action_controller.rb
+++ b/actionpack/lib/action_controller.rb
@@ -2,6 +2,7 @@ require 'active_support/rails'
 require 'abstract_controller'
 require 'action_dispatch'
 require 'action_controller/metal/live'
+require 'action_controller/metal/strong_parameters'
 
 module ActionController
   extend ActiveSupport::Autoload
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
index b027901f28..8a2f63dfcd 100644
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -13,12 +13,13 @@ module ActionController
   end
 
   class Parameters < ActiveSupport::HashWithIndifferentAccess
+    cattr_accessor :permit_all_parameters, instance_accessor: false
     attr_accessor :permitted
     alias :permitted? :permitted
 
     def initialize(attributes = nil)
       super(attributes)
-      @permitted = false
+      @permitted = self.class.permit_all_parameters
     end
 
     def permit!
diff --git a/actionpack/lib/action_controller/railtie.rb b/actionpack/lib/action_controller/railtie.rb
index 3ecc105e22..d7e8194bf6 100644
--- a/actionpack/lib/action_controller/railtie.rb
+++ b/actionpack/lib/action_controller/railtie.rb
@@ -19,6 +19,10 @@ module ActionController
       ActionController::Helpers.helpers_path = app.helpers_paths
     end
 
+    initializer "action_controller.parameters_config" do |app|
+      ActionController::Parameters.permit_all_parameters = app.config.action_controller.delete(:permit_all_parameters)
+    end
+
     initializer "action_controller.set_configs" do |app|
       paths   = app.config.paths
       options = app.config.action_controller