diff options
| author | Sean Griffin <sean@seantheprogrammer.com> | 2016-04-15 09:08:47 -0600 |
|---|---|---|
| committer | Sean Griffin <sean@seantheprogrammer.com> | 2016-04-15 09:09:50 -0600 |
| commit | 94a1edbc023fd82bf96705d86abc85d2eab14ba3 (patch) | |
| tree | 762f16eca798d76e047640b6d7a85f22c2ba0b48 /actionpack | |
| parent | b1f4c4bbcfe31999636130dea478c076ec595fe7 (diff) | |
| download | rails-94a1edbc023fd82bf96705d86abc85d2eab14ba3.tar.gz rails-94a1edbc023fd82bf96705d86abc85d2eab14ba3.tar.bz2 rails-94a1edbc023fd82bf96705d86abc85d2eab14ba3.zip | |
Filter scalar values when params permit hashes or arrays
This brings the behavior more inline with other similar cases, such as
receiving a hash when an array of scalars was expected. Prior to this
commit, the key would be present, but the value would be `nil`
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/lib/action_controller/metal/strong_parameters.rb | 6 | ||||
| -rw-r--r-- | actionpack/test/controller/parameters/parameters_permit_test.rb | 9 |
2 files changed, 14 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb index 64672de57e..f9b80dd805 100644 --- a/actionpack/lib/action_controller/metal/strong_parameters.rb +++ b/actionpack/lib/action_controller/metal/strong_parameters.rb @@ -756,6 +756,10 @@ module ActionController end end + def non_scalar?(value) + value.is_a?(Array) || value.is_a?(Parameters) + end + EMPTY_ARRAY = [] def hash_filter(params, filter) filter = filter.with_indifferent_access @@ -770,7 +774,7 @@ module ActionController array_of_permitted_scalars?(self[key]) do |val| params[key] = val end - else + elsif non_scalar?(value) # Declaration { user: :name } or { user: [:name, :age, { address: ... }] }. params[key] = each_element(value) do |element| element.permit(*Array.wrap(filter[key])) diff --git a/actionpack/test/controller/parameters/parameters_permit_test.rb b/actionpack/test/controller/parameters/parameters_permit_test.rb index 96048e2868..b75eb0e3bf 100644 --- a/actionpack/test/controller/parameters/parameters_permit_test.rb +++ b/actionpack/test/controller/parameters/parameters_permit_test.rb @@ -360,4 +360,13 @@ class ParametersPermitTest < ActiveSupport::TestCase assert @params.include? 'person' assert_not @params.include? :gorilla end + + test "scalar values should be filtered when array or hash is specified" do + params = ActionController::Parameters.new(foo: "bar") + + assert params.permit(:foo).has_key?(:foo) + refute params.permit(foo: []).has_key?(:foo) + refute params.permit(foo: [:bar]).has_key?(:foo) + refute params.permit(foo: :bar).has_key?(:foo) + end end |