fix permitted? conditional for `render` calls

author: Aaron Patterson <aaron.patterson@gmail.com> 2016-01-26 18:00:05 -0800
committer: Aaron Patterson <aaron.patterson@gmail.com> 2016-01-26 18:00:49 -0800
commit: 00285e7cf75c96553719072a27c27e4ab7d25b40 (patch)
tree: 3a5f8f27e6122c9b7f93c43fc720de34e0e3d6bc /actionpack
parent: 9777a97ffaedcec9b95cb1678e4c74b7cac514ea (diff)
download: rails-00285e7cf75c96553719072a27c27e4ab7d25b40.tar.gz
rails-00285e7cf75c96553719072a27c27e4ab7d25b40.tar.bz2
rails-00285e7cf75c96553719072a27c27e4ab7d25b40.zip
2 files changed, 17 insertions, 3 deletions
diff --git a/actionpack/lib/abstract_controller/rendering.rb b/actionpack/lib/abstract_controller/rendering.rb
index 841a4c07ad..e765d73ce4 100644
--- a/actionpack/lib/abstract_controller/rendering.rb
+++ b/actionpack/lib/abstract_controller/rendering.rb
@@ -82,9 +82,12 @@ module AbstractController
     # <tt>render :file => "foo/bar"</tt>.
     # :api: plugin
     def _normalize_args(action=nil, options={})
-      if action.respond_to?(:permitted?) && action.permitted?
-        raise ArgumentError, "render parameters are not permitted"
-        action
+      if action.respond_to?(:permitted?)
+        if action.permitted?
+          action
+        else
+          raise ArgumentError, "render parameters are not permitted"
+        end
       elsif action.is_a?(Hash)
         action
       else
diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
index db73de6010..f205b96ce8 100644
--- a/actionpack/test/controller/render_test.rb
+++ b/actionpack/test/controller/render_test.rb
@@ -66,6 +66,10 @@ class TestController < ActionController::Base
     render params[:id] # => String, AC:Params
   end
 
+  def dynamic_render_permit
+    render params[:id].permit(:file)
+  end
+
   def dynamic_render_with_file
     # This is extremely bad, but should be possible to do.
     file = params[:id] # => String, AC:Params
@@ -273,6 +277,13 @@ class ExpiresInRenderTest < ActionController::TestCase
     end
   end
 
+  def test_permitted_dynamic_render_file_hash
+    assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb'))
+    response = get :dynamic_render_permit, { id: { file: '../\\../test/abstract_unit.rb' } }
+    assert_equal File.read(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb')),
+      response.body
+  end
+
   def test_dynamic_render_file_hash
     assert_raises ArgumentError do
       get :dynamic_render, params: { id: { file: '../\\../test/abstract_unit.rb' } }
author	Aaron Patterson <aaron.patterson@gmail.com>	2016-01-26 18:00:05 -0800
committer	Aaron Patterson <aaron.patterson@gmail.com>	2016-01-26 18:00:49 -0800
commit	00285e7cf75c96553719072a27c27e4ab7d25b40 (patch)
tree	3a5f8f27e6122c9b7f93c43fc720de34e0e3d6bc /actionpack
parent	9777a97ffaedcec9b95cb1678e4c74b7cac514ea (diff)
download	rails-00285e7cf75c96553719072a27c27e4ab7d25b40.tar.gz rails-00285e7cf75c96553719072a27c27e4ab7d25b40.tar.bz2 rails-00285e7cf75c96553719072a27c27e4ab7d25b40.zip