diff options
Diffstat (limited to 'actionpack/test/controller/parameters/nested_parameters_permit_test.rb')
| -rw-r--r-- | actionpack/test/controller/parameters/nested_parameters_permit_test.rb | 177 |
1 files changed, 177 insertions, 0 deletions
diff --git a/actionpack/test/controller/parameters/nested_parameters_permit_test.rb b/actionpack/test/controller/parameters/nested_parameters_permit_test.rb new file mode 100644 index 0000000000..5f86901e30 --- /dev/null +++ b/actionpack/test/controller/parameters/nested_parameters_permit_test.rb @@ -0,0 +1,177 @@ +require "abstract_unit" +require "action_controller/metal/strong_parameters" + +class NestedParametersPermitTest < ActiveSupport::TestCase + def assert_filtered_out(params, key) + assert !params.has_key?(key), "key #{key.inspect} has not been filtered out" + end + + test "permitted nested parameters" do + params = ActionController::Parameters.new( + book: { + title: "Romeo and Juliet", + authors: [{ + name: "William Shakespeare", + born: "1564-04-26" + }, { + name: "Christopher Marlowe" + }, { + name: %w(malicious injected names) + }], + details: { + pages: 200, + genre: "Tragedy" + }, + id: { + isbn: "x" + } + }, + magazine: "Mjallo!") + + permitted = params.permit book: [ :title, { authors: [ :name ] }, { details: :pages }, :id ] + + assert permitted.permitted? + assert_equal "Romeo and Juliet", permitted[:book][:title] + assert_equal "William Shakespeare", permitted[:book][:authors][0][:name] + assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name] + assert_equal 200, permitted[:book][:details][:pages] + + assert_filtered_out permitted, :magazine + assert_filtered_out permitted[:book], :id + assert_filtered_out permitted[:book][:details], :genre + assert_filtered_out permitted[:book][:authors][0], :born + assert_filtered_out permitted[:book][:authors][2], :name + end + + test "permitted nested parameters with a string or a symbol as a key" do + params = ActionController::Parameters.new( + book: { + "authors" => [ + { name: "William Shakespeare", born: "1564-04-26" }, + { name: "Christopher Marlowe" } + ] + }) + + permitted = params.permit book: [ { "authors" => [ :name ] } ] + + assert_equal "William Shakespeare", permitted[:book]["authors"][0][:name] + assert_equal "William Shakespeare", permitted[:book][:authors][0][:name] + assert_equal "Christopher Marlowe", permitted[:book]["authors"][1][:name] + assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name] + + permitted = params.permit book: [ { authors: [ :name ] } ] + + assert_equal "William Shakespeare", permitted[:book]["authors"][0][:name] + assert_equal "William Shakespeare", permitted[:book][:authors][0][:name] + assert_equal "Christopher Marlowe", permitted[:book]["authors"][1][:name] + assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name] + end + + test "nested arrays with strings" do + params = ActionController::Parameters.new( + book: { + genres: ["Tragedy"] + }) + + permitted = params.permit book: { genres: [] } + assert_equal ["Tragedy"], permitted[:book][:genres] + end + + test "permit may specify symbols or strings" do + params = ActionController::Parameters.new( + book: { + title: "Romeo and Juliet", + author: "William Shakespeare" + }, + magazine: "Shakespeare Today") + + permitted = params.permit({ book: ["title", :author] }, "magazine") + assert_equal "Romeo and Juliet", permitted[:book][:title] + assert_equal "William Shakespeare", permitted[:book][:author] + assert_equal "Shakespeare Today", permitted[:magazine] + end + + test "nested array with strings that should be hashes" do + params = ActionController::Parameters.new( + book: { + genres: ["Tragedy"] + }) + + permitted = params.permit book: { genres: :type } + assert_empty permitted[:book][:genres] + end + + test "nested array with strings that should be hashes and additional values" do + params = ActionController::Parameters.new( + book: { + title: "Romeo and Juliet", + genres: ["Tragedy"] + }) + + permitted = params.permit book: [ :title, { genres: :type } ] + assert_equal "Romeo and Juliet", permitted[:book][:title] + assert_empty permitted[:book][:genres] + end + + test "nested string that should be a hash" do + params = ActionController::Parameters.new( + book: { + genre: "Tragedy" + }) + + permitted = params.permit book: { genre: :type } + assert_nil permitted[:book][:genre] + end + + test "fields_for-style nested params" do + params = ActionController::Parameters.new( + book: { + authors_attributes: { + '0': { name: "William Shakespeare", age_of_death: "52" }, + '1': { name: "Unattributed Assistant" }, + '2': { name: %w(injected names) } + } + }) + permitted = params.permit book: { authors_attributes: [ :name ] } + + assert_not_nil permitted[:book][:authors_attributes]["0"] + assert_not_nil permitted[:book][:authors_attributes]["1"] + assert_empty permitted[:book][:authors_attributes]["2"] + assert_equal "William Shakespeare", permitted[:book][:authors_attributes]["0"][:name] + assert_equal "Unattributed Assistant", permitted[:book][:authors_attributes]["1"][:name] + + assert_filtered_out permitted[:book][:authors_attributes]["0"], :age_of_death + end + + test "fields_for-style nested params with negative numbers" do + params = ActionController::Parameters.new( + book: { + authors_attributes: { + '-1': { name: "William Shakespeare", age_of_death: "52" }, + '-2': { name: "Unattributed Assistant" } + } + }) + permitted = params.permit book: { authors_attributes: [:name] } + + assert_not_nil permitted[:book][:authors_attributes]["-1"] + assert_not_nil permitted[:book][:authors_attributes]["-2"] + assert_equal "William Shakespeare", permitted[:book][:authors_attributes]["-1"][:name] + assert_equal "Unattributed Assistant", permitted[:book][:authors_attributes]["-2"][:name] + + assert_filtered_out permitted[:book][:authors_attributes]["-1"], :age_of_death + end + + test "nested number as key" do + params = ActionController::Parameters.new( + product: { + properties: { + "0" => "prop0", + "1" => "prop1" + } + }) + params = params.require(:product).permit(properties: ["0"]) + assert_not_nil params[:properties]["0"] + assert_nil params[:properties]["1"] + assert_equal "prop0", params[:properties]["0"] + end +end |