diff options
author | Xavier Noria <fxn@hashref.com> | 2013-01-20 17:59:53 +0100 |
---|---|---|
committer | Xavier Noria <fxn@hashref.com> | 2013-01-20 17:59:53 +0100 |
commit | cbec22ce5783c9530b3e2735a8e13eeeca00e0d2 (patch) | |
tree | ecad6bfedddfbd7a82060c2f10cdf3d3252a715c /actionpack/test/controller/parameters/nested_parameters_test.rb | |
parent | 996aba341ace42393f4e2cd7c00489dac20f2bd3 (diff) | |
download | rails-cbec22ce5783c9530b3e2735a8e13eeeca00e0d2.tar.gz rails-cbec22ce5783c9530b3e2735a8e13eeeca00e0d2.tar.bz2 rails-cbec22ce5783c9530b3e2735a8e13eeeca00e0d2.zip |
strong parameters filters permitted scalars
Diffstat (limited to 'actionpack/test/controller/parameters/nested_parameters_test.rb')
-rw-r--r-- | actionpack/test/controller/parameters/nested_parameters_test.rb | 56 |
1 files changed, 43 insertions, 13 deletions
diff --git a/actionpack/test/controller/parameters/nested_parameters_test.rb b/actionpack/test/controller/parameters/nested_parameters_test.rb index 6df849c4e2..8aec159499 100644 --- a/actionpack/test/controller/parameters/nested_parameters_test.rb +++ b/actionpack/test/controller/parameters/nested_parameters_test.rb @@ -2,6 +2,10 @@ require 'abstract_unit' require 'action_controller/metal/strong_parameters' class NestedParametersTest < ActiveSupport::TestCase + def assert_filtered_out(params, key) + assert !params.has_key?(key), "key #{key.inspect} has not been filtered out" + end + test "permitted nested parameters" do params = ActionController::Parameters.new({ book: { @@ -11,6 +15,8 @@ class NestedParametersTest < ActiveSupport::TestCase born: "1564-04-26" }, { name: "Christopher Marlowe" + }, { + :name => %w(malicious injected names) }], details: { pages: 200, @@ -30,10 +36,12 @@ class NestedParametersTest < ActiveSupport::TestCase assert_equal "William Shakespeare", permitted[:book][:authors][0][:name] assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name] assert_equal 200, permitted[:book][:details][:pages] - assert_nil permitted[:book][:id] - assert_nil permitted[:book][:details][:genre] - assert_nil permitted[:book][:authors][0][:born] - assert_nil permitted[:magazine] + + assert_filtered_out permitted, :magazine + assert_filtered_out permitted[:book], :id + assert_filtered_out permitted[:book][:details], :genre + assert_filtered_out permitted[:book][:authors][0], :born + assert_filtered_out permitted[:book][:authors][2], :name end test "permitted nested parameters with a string or a symbol as a key" do @@ -68,7 +76,7 @@ class NestedParametersTest < ActiveSupport::TestCase } }) - permitted = params.permit :book => :genres + permitted = params.permit :book => {:genres => []} assert_equal ["Tragedy"], permitted[:book][:genres] end @@ -124,19 +132,41 @@ class NestedParametersTest < ActiveSupport::TestCase test "fields_for-style nested params" do params = ActionController::Parameters.new({ - book: { - authors_attributes: { - :'0' => { name: 'William Shakespeare', age_of_death: '52' }, - :'-1' => { name: 'Unattributed Assistant' } + :book => { + :authors_attributes => { + :'0' => { :name => 'William Shakespeare', :age_of_death => '52' }, + :'1' => { :name => 'Unattributed Assistant' }, + :'2' => { :name => %w(injected names)} } } }) - permitted = params.permit book: { authors_attributes: [ :name ] } + permitted = params.permit :book => { :authors_attributes => [ :name ] } assert_not_nil permitted[:book][:authors_attributes]['0'] - assert_not_nil permitted[:book][:authors_attributes]['-1'] - assert_nil permitted[:book][:authors_attributes]['0'][:age_of_death] + assert_not_nil permitted[:book][:authors_attributes]['1'] + assert_empty permitted[:book][:authors_attributes]['2'] assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][:name] - assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-1'][:name] + assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][:name] + + assert_filtered_out permitted[:book][:authors_attributes]['0'], :age_of_death + end + + test "fields_for-style nested params with negative numbers" do + params = ActionController::Parameters.new({ + :book => { + :authors_attributes => { + :'-1' => { :name => 'William Shakespeare', :age_of_death => '52' }, + :'-2' => { :name => 'Unattributed Assistant' } + } + } + }) + permitted = params.permit :book => { :authors_attributes => [:name] } + + assert_not_nil permitted[:book][:authors_attributes]['-1'] + assert_not_nil permitted[:book][:authors_attributes]['-2'] + assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name] + assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name] + + assert_filtered_out permitted[:book][:authors_attributes]['-1'], :age_of_death end end |