diff options
| author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2017-04-11 21:45:39 -0400 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2017-04-18 17:33:23 -0400 |
| commit | fd88ccc905549c61e0e4525fcb68b91d20b9afe9 (patch) | |
| tree | bdb5f528a4e317cab9d810161dae2498a38928fe /actionpack/test/controller | |
| parent | 1396b05e5a36859a9730e7a4a56abba02c41c0d6 (diff) | |
| download | rails-fd88ccc905549c61e0e4525fcb68b91d20b9afe9.tar.gz rails-fd88ccc905549c61e0e4525fcb68b91d20b9afe9.tar.bz2 rails-fd88ccc905549c61e0e4525fcb68b91d20b9afe9.zip | |
Raise exception when calling to_h in a unfiltered Parameters
Before we returned either an empty hash or only the always permitted
parameters (:controller and :action by default).
The previous behavior was dangerous because in order to get the
attributes users usually fallback to use to_unsafe_h that could
potentially introduce security issues.
The to_unsafe_h API is also not good since Parameters is a object that
quacks like a Hash but not in all cases since to_h would return an empty
hash and users were forced to check if to_unsafe_h is defined or if the
instance is a ActionController::Parameters in order to work with it.
This end up coupling a lot of libraries and parts of the application
with something that is from the controller layer.
Diffstat (limited to 'actionpack/test/controller')
| -rw-r--r-- | actionpack/test/controller/parameters/parameters_permit_test.rb | 19 |
1 files changed, 4 insertions, 15 deletions
diff --git a/actionpack/test/controller/parameters/parameters_permit_test.rb b/actionpack/test/controller/parameters/parameters_permit_test.rb index e5bb553855..2616b040d1 100644 --- a/actionpack/test/controller/parameters/parameters_permit_test.rb +++ b/actionpack/test/controller/parameters/parameters_permit_test.rb @@ -377,10 +377,10 @@ class ParametersPermitTest < ActiveSupport::TestCase assert_equal "32", @params[:person].permit([ :age ])[:age] end - test "to_h returns empty hash on unpermitted params" do - assert @params.to_h.is_a? ActiveSupport::HashWithIndifferentAccess - assert_not @params.to_h.is_a? ActionController::Parameters - assert @params.to_h.empty? + test "to_h raises UnfilteredParameters on unfiltered params" do + assert_raises(ActionController::UnfilteredParameters) do + @params.to_h + end end test "to_h returns converted hash on permitted params" do @@ -403,17 +403,6 @@ class ParametersPermitTest < ActiveSupport::TestCase end end - test "to_h returns always permitted parameter on unpermitted params" do - params = ActionController::Parameters.new( - controller: "users", - action: "create", - user: { - name: "Sengoku Nadeko" - } - ) - - assert_equal({ "controller" => "users", "action" => "create" }, params.to_h) - end test "to_unsafe_h returns unfiltered params" do assert @params.to_unsafe_h.is_a? ActiveSupport::HashWithIndifferentAccess |