Merge pull request #7251 from rails/integrate-strong_parameters

Integrate strong_parameters in Rails 4

5 files changed, 16 insertions, 15 deletions

diff --git a/railties/lib/rails/generators/rails/app/templates/config/application.rb b/railties/lib/rails/generators/rails/app/templates/config/application.rb
index 09b08d5663..f7d8f718de 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/application.rb
+++ b/railties/lib/rails/generators/rails/app/templates/config/application.rb
@@ -46,11 +46,6 @@ module <%= app_const_base %>
     # like if you have constraints or database-specific column types.
     # config.active_record.schema_format = :sql
 
-    # Enforce whitelist mode for mass assignment.
-    # This will create an empty whitelist of attributes available for mass-assignment for all models
-    # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
-    # parameters by using an attr_accessible or attr_protected declaration.
-    <%= comment_if :skip_active_record %>config.active_record.whitelist_attributes = true
 <% unless options.skip_sprockets? -%>
 
     # Enable the asset pipeline.
diff --git a/railties/lib/rails/generators/rails/app/templates/config/environments/development.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/environments/development.rb.tt
index bcd0e7c898..6b5b3a0b1f 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/environments/development.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/environments/development.rb.tt
@@ -23,9 +23,6 @@
   config.action_dispatch.best_standards_support = :builtin
 
   <%- unless options.skip_active_record? -%>
-  # Raise exception on mass assignment protection for Active Record models.
-  config.active_record.mass_assignment_sanitizer = :strict
-
   # Log the query plan for queries taking more than this (works
   # with SQLite, MySQL, and PostgreSQL).
   config.active_record.auto_explain_threshold_in_seconds = 0.5
diff --git a/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt
index 75897ba8cd..202fc98adf 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt
@@ -31,11 +31,6 @@
   # ActionMailer::Base.deliveries array.
   config.action_mailer.delivery_method = :test
 
-  <%- unless options.skip_active_record? -%>
-  # Raise exception on mass assignment protection for Active Record models.
-  config.active_record.mass_assignment_sanitizer = :strict
-  <%- end -%>
-
   # Print deprecation notices to the stderr.
   config.active_support.deprecation = :stderr
 
diff --git a/railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb b/railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb
index 0618b16984..f30ad6e20d 100644
--- a/railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb
+++ b/railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb
@@ -10,6 +10,8 @@ module Rails
       class_option :orm, :banner => "NAME", :type => :string, :required => true,
                          :desc => "ORM to generate the controller for"
 
+      argument :attributes, :type => :array, :default => [], :banner => "field:type field:type"
+
       def create_controller_files
         template "controller.rb", File.join('app/controllers', class_path, "#{controller_file_name}_controller.rb")
       end
diff --git a/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb b/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb
index b3e74f9b02..5d038d20e7 100644
--- a/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb
+++ b/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb
@@ -45,7 +45,7 @@ class <%= controller_class_name %>Controller < ApplicationController
   # POST <%= route_url %>
   # POST <%= route_url %>.json
   def create
-    @<%= singular_table_name %> = <%= orm_class.build(class_name, "params[:#{singular_table_name}]") %>
+    @<%= singular_table_name %> = <%= orm_class.build(class_name, "#{singular_table_name}_params") %>
 
     respond_to do |format|
       if @<%= orm_instance.save %>
@@ -64,7 +64,7 @@ class <%= controller_class_name %>Controller < ApplicationController
     @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
 
     respond_to do |format|
-      if @<%= orm_instance.update_attributes("params[:#{singular_table_name}]") %>
+      if @<%= orm_instance.update_attributes("#{singular_table_name}_params") %>
         format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully updated.'" %> }
         format.json { head :no_content }
       else
@@ -85,5 +85,17 @@ class <%= controller_class_name %>Controller < ApplicationController
       format.json { head :no_content }
     end
   end
+
+  private
+
+    # Use this method to whitelist the permissible parameters. Example: params.require(:person).permit(:name, :age)
+    # Also, you can specialize this method with per-user checking of permissible attributes.
+    def <%= "#{singular_table_name}_params" %>
+      <%- if attributes.empty? -%>
+      params[<%= ":#{singular_table_name}" %>]
+      <%- else -%>
+      params.require(<%= ":#{singular_table_name}" %>).permit(<%= attributes.map {|a| ":#{a.name}" }.sort.join(', ') %>)
+      <%- end -%>
+    end
 end
 <% end -%>