diff options
| author | David Heinemeier Hansson <david@loudthinking.com> | 2013-01-08 15:52:00 +0100 |
|---|---|---|
| committer | David Heinemeier Hansson <david@loudthinking.com> | 2013-01-08 15:52:18 +0100 |
| commit | ae3286b74346023a868d63c53cde562b1529ef2c (patch) | |
| tree | 6635474cb1f8dc941ad477525201d20b1aea219b /actionpack | |
| parent | 4f002a1df3ee37349e278ba64ef29602ee637ac5 (diff) | |
| download | rails-ae3286b74346023a868d63c53cde562b1529ef2c.tar.gz rails-ae3286b74346023a868d63c53cde562b1529ef2c.tar.bz2 rails-ae3286b74346023a868d63c53cde562b1529ef2c.zip | |
Never treat action or controller as unpermitted params
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/lib/action_controller/metal/strong_parameters.rb | 21 | ||||
| -rw-r--r-- | actionpack/test/controller/parameters/raise_on_unpermitted_parameters_test.rb | 10 |
2 files changed, 25 insertions, 6 deletions
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb index 5ea1b2cc1a..3691dc699f 100644 --- a/actionpack/lib/action_controller/metal/strong_parameters.rb +++ b/actionpack/lib/action_controller/metal/strong_parameters.rb @@ -95,6 +95,10 @@ module ActionController cattr_accessor :permit_all_parameters, instance_accessor: false cattr_accessor :raise_on_unpermitted_parameters, instance_accessor: false + # Never raise an UnpermittedParameters exception because of these params + # are present. They are added by Rails and it's of no concern. + NEVER_UNPERMITTED_PARAMS = %w( controller action ) + # Returns a new instance of <tt>ActionController::Parameters</tt>. # Also, sets the +permitted+ attribute to the default value of # <tt>ActionController::Parameters.permit_all_parameters</tt>. @@ -251,12 +255,7 @@ module ActionController end end - if Parameters.raise_on_unpermitted_parameters - unpermitted_keys = self.keys - params.keys - if unpermitted_keys.any? - raise ActionController::UnpermittedParameters.new(unpermitted_keys) - end - end + raise_on_unpermitted_parameters!(params) params.permit! end @@ -336,6 +335,16 @@ module ActionController yield object end end + + def raise_on_unpermitted_parameters!(params) + if self.class.raise_on_unpermitted_parameters && unpermitted_keys(params).any? + raise ActionController::UnpermittedParameters.new(unpermitted_keys(params)) + end + end + + def unpermitted_keys(params) + self.keys - params.keys - NEVER_UNPERMITTED_PARAMS + end end # == Strong \Parameters diff --git a/actionpack/test/controller/parameters/raise_on_unpermitted_parameters_test.rb b/actionpack/test/controller/parameters/raise_on_unpermitted_parameters_test.rb index 747b8123ea..3cedc16730 100644 --- a/actionpack/test/controller/parameters/raise_on_unpermitted_parameters_test.rb +++ b/actionpack/test/controller/parameters/raise_on_unpermitted_parameters_test.rb @@ -30,4 +30,14 @@ class RaiseOnUnpermittedParametersTest < ActiveSupport::TestCase params.permit(book: [:pages]) end end + + test "action and controller keys are safe to ignore" do + params = ActionController::Parameters.new({ + action: 'index', controller: 'stuff', book: { pages: 65 } + }) + + assert_nothing_raised do + params.permit(book: [:pages]) + end + end end |