aboutsummaryrefslogtreecommitdiffstats
path: root/railties
diff options
context:
space:
mode:
authorDavid Heinemeier Hansson <david@loudthinking.com>2012-09-18 12:33:13 -0700
committerDavid Heinemeier Hansson <david@loudthinking.com>2012-09-18 12:33:13 -0700
commitc49d959e9d40101f1712a452004695f4ce27d84c (patch)
treef87077668c14ed414e3d819212b0813e74551c8f /railties
parentade701045f0f80399d99151e5583d4f86c68678e (diff)
parent3919fcd61ef999aab9397332ce3017870b184766 (diff)
downloadrails-c49d959e9d40101f1712a452004695f4ce27d84c.tar.gz
rails-c49d959e9d40101f1712a452004695f4ce27d84c.tar.bz2
rails-c49d959e9d40101f1712a452004695f4ce27d84c.zip
Merge pull request #7251 from rails/integrate-strong_parameters
Integrate strong_parameters in Rails 4
Diffstat (limited to 'railties')
-rw-r--r--railties/lib/rails/generators/rails/app/templates/config/application.rb5
-rw-r--r--railties/lib/rails/generators/rails/app/templates/config/environments/development.rb.tt3
-rw-r--r--railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt5
-rw-r--r--railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb2
-rw-r--r--railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb16
-rw-r--r--railties/test/application/configuration_test.rb35
-rw-r--r--railties/test/application/loading_test.rb1
-rw-r--r--railties/test/generators/app_generator_test.rb15
-rw-r--r--railties/test/generators/model_generator_test.rb10
-rw-r--r--railties/test/generators/scaffold_controller_generator_test.rb7
-rw-r--r--railties/test/generators/scaffold_generator_test.rb8
-rw-r--r--railties/test/isolation/abstract_unit.rb3
12 files changed, 47 insertions, 63 deletions
diff --git a/railties/lib/rails/generators/rails/app/templates/config/application.rb b/railties/lib/rails/generators/rails/app/templates/config/application.rb
index 09b08d5663..f7d8f718de 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/application.rb
+++ b/railties/lib/rails/generators/rails/app/templates/config/application.rb
@@ -46,11 +46,6 @@ module <%= app_const_base %>
# like if you have constraints or database-specific column types.
# config.active_record.schema_format = :sql
- # Enforce whitelist mode for mass assignment.
- # This will create an empty whitelist of attributes available for mass-assignment for all models
- # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
- # parameters by using an attr_accessible or attr_protected declaration.
- <%= comment_if :skip_active_record %>config.active_record.whitelist_attributes = true
<% unless options.skip_sprockets? -%>
# Enable the asset pipeline.
diff --git a/railties/lib/rails/generators/rails/app/templates/config/environments/development.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/environments/development.rb.tt
index bcd0e7c898..6b5b3a0b1f 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/environments/development.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/environments/development.rb.tt
@@ -23,9 +23,6 @@
config.action_dispatch.best_standards_support = :builtin
<%- unless options.skip_active_record? -%>
- # Raise exception on mass assignment protection for Active Record models.
- config.active_record.mass_assignment_sanitizer = :strict
-
# Log the query plan for queries taking more than this (works
# with SQLite, MySQL, and PostgreSQL).
config.active_record.auto_explain_threshold_in_seconds = 0.5
diff --git a/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt
index 75897ba8cd..202fc98adf 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt
@@ -31,11 +31,6 @@
# ActionMailer::Base.deliveries array.
config.action_mailer.delivery_method = :test
- <%- unless options.skip_active_record? -%>
- # Raise exception on mass assignment protection for Active Record models.
- config.active_record.mass_assignment_sanitizer = :strict
- <%- end -%>
-
# Print deprecation notices to the stderr.
config.active_support.deprecation = :stderr
diff --git a/railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb b/railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb
index 0618b16984..f30ad6e20d 100644
--- a/railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb
+++ b/railties/lib/rails/generators/rails/scaffold_controller/scaffold_controller_generator.rb
@@ -10,6 +10,8 @@ module Rails
class_option :orm, :banner => "NAME", :type => :string, :required => true,
:desc => "ORM to generate the controller for"
+ argument :attributes, :type => :array, :default => [], :banner => "field:type field:type"
+
def create_controller_files
template "controller.rb", File.join('app/controllers', class_path, "#{controller_file_name}_controller.rb")
end
diff --git a/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb b/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb
index b3e74f9b02..5d038d20e7 100644
--- a/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb
+++ b/railties/lib/rails/generators/rails/scaffold_controller/templates/controller.rb
@@ -45,7 +45,7 @@ class <%= controller_class_name %>Controller < ApplicationController
# POST <%= route_url %>
# POST <%= route_url %>.json
def create
- @<%= singular_table_name %> = <%= orm_class.build(class_name, "params[:#{singular_table_name}]") %>
+ @<%= singular_table_name %> = <%= orm_class.build(class_name, "#{singular_table_name}_params") %>
respond_to do |format|
if @<%= orm_instance.save %>
@@ -64,7 +64,7 @@ class <%= controller_class_name %>Controller < ApplicationController
@<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
respond_to do |format|
- if @<%= orm_instance.update_attributes("params[:#{singular_table_name}]") %>
+ if @<%= orm_instance.update_attributes("#{singular_table_name}_params") %>
format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully updated.'" %> }
format.json { head :no_content }
else
@@ -85,5 +85,17 @@ class <%= controller_class_name %>Controller < ApplicationController
format.json { head :no_content }
end
end
+
+ private
+
+ # Use this method to whitelist the permissible parameters. Example: params.require(:person).permit(:name, :age)
+ # Also, you can specialize this method with per-user checking of permissible attributes.
+ def <%= "#{singular_table_name}_params" %>
+ <%- if attributes.empty? -%>
+ params[<%= ":#{singular_table_name}" %>]
+ <%- else -%>
+ params.require(<%= ":#{singular_table_name}" %>).permit(<%= attributes.map {|a| ":#{a.name}" }.sort.join(', ') %>)
+ <%- end -%>
+ end
end
<% end -%>
diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb
index 428c90afd0..d014e5e362 100644
--- a/railties/test/application/configuration_test.rb
+++ b/railties/test/application/configuration_test.rb
@@ -358,19 +358,6 @@ module ApplicationTests
assert_equal "utf-16", ActionDispatch::Response.default_charset
end
- test "sets all Active Record models to whitelist all attributes by default" do
- add_to_config <<-RUBY
- config.active_record.whitelist_attributes = true
- RUBY
-
- require "#{app_path}/config/environment"
-
- klass = Class.new(ActiveRecord::Base)
-
- assert_equal ActiveModel::MassAssignmentSecurity::WhiteList, klass.active_authorizers[:default].class
- assert_equal [], klass.active_authorizers[:default].to_a
- end
-
test "registers interceptors with ActionMailer" do
add_to_config <<-RUBY
config.action_mailer.interceptors = MyMailInterceptor
@@ -595,6 +582,28 @@ module ApplicationTests
assert_equal '{"title"=>"foo"}', last_response.body
end
+ test "config.action_controller.permit_all_parameters = true" do
+ app_file 'app/controllers/posts_controller.rb', <<-RUBY
+ class PostsController < ActionController::Base
+ def create
+ render :text => params[:post].permitted? ? "permitted" : "forbidden"
+ end
+ end
+ RUBY
+
+ add_to_config <<-RUBY
+ routes.prepend do
+ resources :posts
+ end
+ config.action_controller.permit_all_parameters = true
+ RUBY
+
+ require "#{app_path}/config/environment"
+
+ post "/posts", {:post => {"title" =>"zomg"}}
+ assert_equal 'permitted', last_response.body
+ end
+
test "config.action_dispatch.ignore_accept_header" do
make_basic_app do |app|
app.config.action_dispatch.ignore_accept_header = true
diff --git a/railties/test/application/loading_test.rb b/railties/test/application/loading_test.rb
index e0286502f3..fcbc3c048c 100644
--- a/railties/test/application/loading_test.rb
+++ b/railties/test/application/loading_test.rb
@@ -20,7 +20,6 @@ class LoadingTest < ActiveSupport::TestCase
app_file "app/models/post.rb", <<-MODEL
class Post < ActiveRecord::Base
validates_acceptance_of :title, :accept => "omg"
- attr_accessible :title
end
MODEL
diff --git a/railties/test/generators/app_generator_test.rb b/railties/test/generators/app_generator_test.rb
index 3ceb8c22a0..e7b6a20b32 100644
--- a/railties/test/generators/app_generator_test.rb
+++ b/railties/test/generators/app_generator_test.rb
@@ -212,7 +212,6 @@ class AppGeneratorTest < Rails::Generators::TestCase
run_generator [destination_root, "--skip-active-record"]
assert_no_file "config/database.yml"
assert_file "config/application.rb", /#\s+require\s+["']active_record\/railtie["']/
- assert_file "config/application.rb", /#\s+config\.active_record\.whitelist_attributes = true/
assert_file "test/test_helper.rb" do |helper_content|
assert_no_match(/fixtures :all/, helper_content)
end
@@ -343,15 +342,6 @@ class AppGeneratorTest < Rails::Generators::TestCase
end
end
- def test_generated_environments_file_for_sanitizer
- run_generator [destination_root, "--skip-active-record"]
- %w(development test).each do |env|
- assert_file "config/environments/#{env}.rb" do |file|
- assert_no_match(/config.active_record.mass_assignment_sanitizer = :strict/, file)
- end
- end
- end
-
def test_generated_environments_file_for_auto_explain
run_generator [destination_root, "--skip-active-record"]
%w(development production).each do |env|
@@ -361,11 +351,6 @@ class AppGeneratorTest < Rails::Generators::TestCase
end
end
- def test_active_record_whitelist_attributes_is_present_application_config
- run_generator
- assert_file "config/application.rb", /config\.active_record\.whitelist_attributes = true/
- end
-
def test_pretend_option
output = run_generator [File.join(destination_root, "myapp"), "--pretend"]
assert_no_match(/run bundle install/, output)
diff --git a/railties/test/generators/model_generator_test.rb b/railties/test/generators/model_generator_test.rb
index ec33bd7c6b..436de26826 100644
--- a/railties/test/generators/model_generator_test.rb
+++ b/railties/test/generators/model_generator_test.rb
@@ -328,14 +328,4 @@ class ModelGeneratorTest < Rails::Generators::TestCase
end
end
end
-
- def test_attr_accessible_added_with_non_reference_attributes
- run_generator
- assert_file 'app/models/account.rb', /attr_accessible :age, :name/
- end
-
- def test_attr_accessible_added_with_comments_when_no_attributes_present
- run_generator ["Account"]
- assert_file 'app/models/account.rb', /# attr_accessible :title, :body/
- end
end
diff --git a/railties/test/generators/scaffold_controller_generator_test.rb b/railties/test/generators/scaffold_controller_generator_test.rb
index 1eea50b0d9..1e16f04d85 100644
--- a/railties/test/generators/scaffold_controller_generator_test.rb
+++ b/railties/test/generators/scaffold_controller_generator_test.rb
@@ -33,14 +33,14 @@ class ScaffoldControllerGeneratorTest < Rails::Generators::TestCase
end
assert_instance_method :create, content do |m|
- assert_match(/@user = User\.new\(params\[:user\]\)/, m)
+ assert_match(/@user = User\.new\(user_params\)/, m)
assert_match(/@user\.save/, m)
assert_match(/@user\.errors/, m)
end
assert_instance_method :update, content do |m|
assert_match(/@user = User\.find\(params\[:id\]\)/, m)
- assert_match(/@user\.update_attributes\(params\[:user\]\)/, m)
+ assert_match(/@user\.update_attributes\(user_params\)/, m)
assert_match(/@user\.errors/, m)
end
@@ -48,6 +48,9 @@ class ScaffoldControllerGeneratorTest < Rails::Generators::TestCase
assert_match(/@user = User\.find\(params\[:id\]\)/, m)
assert_match(/@user\.destroy/, m)
end
+
+ assert_match(/def user_params/, content)
+ assert_match(/params\.require\(:user\)\.permit\(:age, :name\)/, content)
end
end
diff --git a/railties/test/generators/scaffold_generator_test.rb b/railties/test/generators/scaffold_generator_test.rb
index 9b456c64ef..40c5188042 100644
--- a/railties/test/generators/scaffold_generator_test.rb
+++ b/railties/test/generators/scaffold_generator_test.rb
@@ -43,14 +43,14 @@ class ScaffoldGeneratorTest < Rails::Generators::TestCase
end
assert_instance_method :create, content do |m|
- assert_match(/@product_line = ProductLine\.new\(params\[:product_line\]\)/, m)
+ assert_match(/@product_line = ProductLine\.new\(product_line_params\)/, m)
assert_match(/@product_line\.save/, m)
assert_match(/@product_line\.errors/, m)
end
assert_instance_method :update, content do |m|
assert_match(/@product_line = ProductLine\.find\(params\[:id\]\)/, m)
- assert_match(/@product_line\.update_attributes\(params\[:product_line\]\)/, m)
+ assert_match(/@product_line\.update_attributes\(product_line_params\)/, m)
assert_match(/@product_line\.errors/, m)
end
@@ -166,14 +166,14 @@ class ScaffoldGeneratorTest < Rails::Generators::TestCase
end
assert_instance_method :create, content do |m|
- assert_match(/@admin_role = Admin::Role\.new\(params\[:admin_role\]\)/, m)
+ assert_match(/@admin_role = Admin::Role\.new\(admin_role_params\)/, m)
assert_match(/@admin_role\.save/, m)
assert_match(/@admin_role\.errors/, m)
end
assert_instance_method :update, content do |m|
assert_match(/@admin_role = Admin::Role\.find\(params\[:id\]\)/, m)
- assert_match(/@admin_role\.update_attributes\(params\[:admin_role\]\)/, m)
+ assert_match(/@admin_role\.update_attributes\(admin_role_params\)/, m)
assert_match(/@admin_role\.errors/, m)
end
diff --git a/railties/test/isolation/abstract_unit.rb b/railties/test/isolation/abstract_unit.rb
index 07a7faa3af..0f36eb67e5 100644
--- a/railties/test/isolation/abstract_unit.rb
+++ b/railties/test/isolation/abstract_unit.rb
@@ -253,9 +253,6 @@ module TestHelpers
def use_frameworks(arr)
to_remove = [:actionmailer,
:activerecord] - arr
- if to_remove.include? :activerecord
- remove_from_config "config.active_record.whitelist_attributes = true"
- end
$:.reject! {|path| path =~ %r'/(#{to_remove.join('|')})/' }
end