diff options
Diffstat (limited to 'actionpack/test/controller/parameters')
11 files changed, 958 insertions, 385 deletions
diff --git a/actionpack/test/controller/parameters/accessors_test.rb b/actionpack/test/controller/parameters/accessors_test.rb index 97875c3cbb..7789e654d5 100644 --- a/actionpack/test/controller/parameters/accessors_test.rb +++ b/actionpack/test/controller/parameters/accessors_test.rb @@ -1,30 +1,44 @@ -require 'abstract_unit' -require 'action_controller/metal/strong_parameters' -require 'active_support/core_ext/hash/transform_values' +# frozen_string_literal: true + +require "abstract_unit" +require "action_controller/metal/strong_parameters" class ParametersAccessorsTest < ActiveSupport::TestCase setup do + ActionController::Parameters.permit_all_parameters = false + @params = ActionController::Parameters.new( person: { - age: '32', + age: "32", name: { - first: 'David', - last: 'Heinemeier Hansson' + first: "David", + last: "Heinemeier Hansson" }, - addresses: [{city: 'Chicago', state: 'Illinois'}] + addresses: [{ city: "Chicago", state: "Illinois" }] } ) end test "[] retains permitted status" do @params.permit! - assert @params[:person].permitted? - assert @params[:person][:name].permitted? + assert_predicate @params[:person], :permitted? + assert_predicate @params[:person][:name], :permitted? end test "[] retains unpermitted status" do - assert_not @params[:person].permitted? - assert_not @params[:person][:name].permitted? + assert_not_predicate @params[:person], :permitted? + assert_not_predicate @params[:person][:name], :permitted? + end + + test "as_json returns the JSON representation of the parameters hash" do + assert_not @params.as_json.key? "parameters" + assert_not @params.as_json.key? "permitted" + assert @params.as_json.key? "person" + end + + test "to_s returns the string representation of the parameters hash" do + assert_equal '{"person"=>{"age"=>"32", "name"=>{"first"=>"David", "last"=>"Heinemeier Hansson"}, ' \ + '"addresses"=>[{"city"=>"Chicago", "state"=>"Illinois"}]}}', @params.to_s end test "each carries permitted status" do @@ -36,6 +50,14 @@ class ParametersAccessorsTest < ActiveSupport::TestCase @params.each { |key, value| assert_not(value.permitted?) if key == "person" } end + test "each returns key,value array for block with arity 1" do + @params.each do |arg| + assert_kind_of Array, arg + assert_equal "person", arg[0] + assert_kind_of ActionController::Parameters, arg[1] + end + end + test "each_pair carries permitted status" do @params.permit! @params.each_pair { |key, value| assert(value.permitted?) if key == "person" } @@ -45,81 +67,272 @@ class ParametersAccessorsTest < ActiveSupport::TestCase @params.each_pair { |key, value| assert_not(value.permitted?) if key == "person" } end + test "each_pair returns key,value array for block with arity 1" do + @params.each_pair do |arg| + assert_kind_of Array, arg + assert_equal "person", arg[0] + assert_kind_of ActionController::Parameters, arg[1] + end + end + + test "each_value carries permitted status" do + @params.permit! + @params.each_value do |value| + assert_predicate(value, :permitted?) + end + end + + test "each_value carries unpermitted status" do + @params.each_value do |value| + assert_not_predicate(value, :permitted?) + end + end + + test "each_key converts to hash for permitted" do + @params.permit! + @params.each_key { |key| assert_kind_of(String, key) if key == "person" } + end + + test "each_key converts to hash for unpermitted" do + @params.each_key { |key| assert_kind_of(String, key) if key == "person" } + end + + test "empty? returns true when params contains no key/value pairs" do + params = ActionController::Parameters.new + assert_empty params + end + + test "empty? returns false when any params are present" do + assert_not_empty @params + end + test "except retains permitted status" do @params.permit! - assert @params.except(:person).permitted? - assert @params[:person].except(:name).permitted? + assert_predicate @params.except(:person), :permitted? + assert_predicate @params[:person].except(:name), :permitted? end test "except retains unpermitted status" do - assert_not @params.except(:person).permitted? - assert_not @params[:person].except(:name).permitted? + assert_not_predicate @params.except(:person), :permitted? + assert_not_predicate @params[:person].except(:name), :permitted? end test "fetch retains permitted status" do @params.permit! - assert @params.fetch(:person).permitted? - assert @params[:person].fetch(:name).permitted? + assert_predicate @params.fetch(:person), :permitted? + assert_predicate @params[:person].fetch(:name), :permitted? end test "fetch retains unpermitted status" do - assert_not @params.fetch(:person).permitted? - assert_not @params[:person].fetch(:name).permitted? + assert_not_predicate @params.fetch(:person), :permitted? + assert_not_predicate @params[:person].fetch(:name), :permitted? + end + + test "has_key? returns true if the given key is present in the params" do + assert @params.has_key?(:person) + end + + test "has_key? returns false if the given key is not present in the params" do + assert_not @params.has_key?(:address) + end + + test "has_value? returns true if the given value is present in the params" do + params = ActionController::Parameters.new(city: "Chicago", state: "Illinois") + assert params.has_value?("Chicago") + end + + test "has_value? returns false if the given value is not present in the params" do + params = ActionController::Parameters.new(city: "Chicago", state: "Illinois") + assert_not params.has_value?("New York") + end + + test "include? returns true if the given key is present in the params" do + assert @params.include?(:person) + end + + test "include? returns false if the given key is not present in the params" do + assert_not @params.include?(:address) + end + + test "key? returns true if the given key is present in the params" do + assert @params.key?(:person) + end + + test "key? returns false if the given key is not present in the params" do + assert_not @params.key?(:address) + end + + test "keys returns an array of the keys of the params" do + assert_equal ["person"], @params.keys + assert_equal ["age", "name", "addresses"], @params[:person].keys end test "reject retains permitted status" do - assert_not @params.reject { |k| k == "person" }.permitted? + assert_not_predicate @params.reject { |k| k == "person" }, :permitted? end test "reject retains unpermitted status" do @params.permit! - assert @params.reject { |k| k == "person" }.permitted? + assert_predicate @params.reject { |k| k == "person" }, :permitted? end test "select retains permitted status" do @params.permit! - assert @params.select { |k| k == "person" }.permitted? + assert_predicate @params.select { |k| k == "person" }, :permitted? end test "select retains unpermitted status" do - assert_not @params.select { |k| k == "person" }.permitted? + assert_not_predicate @params.select { |k| k == "person" }, :permitted? end test "slice retains permitted status" do @params.permit! - assert @params.slice(:person).permitted? + assert_predicate @params.slice(:person), :permitted? end test "slice retains unpermitted status" do - assert_not @params.slice(:person).permitted? + assert_not_predicate @params.slice(:person), :permitted? end test "transform_keys retains permitted status" do @params.permit! - assert @params.transform_keys { |k| k }.permitted? + assert_predicate @params.transform_keys { |k| k }, :permitted? end test "transform_keys retains unpermitted status" do - assert_not @params.transform_keys { |k| k }.permitted? + assert_not_predicate @params.transform_keys { |k| k }, :permitted? end test "transform_values retains permitted status" do @params.permit! - assert @params.transform_values { |v| v }.permitted? + assert_predicate @params.transform_values { |v| v }, :permitted? end test "transform_values retains unpermitted status" do - assert_not @params.transform_values { |v| v }.permitted? + assert_not_predicate @params.transform_values { |v| v }, :permitted? + end + + test "transform_values converts hashes to parameters" do + @params.transform_values do |value| + assert_kind_of ActionController::Parameters, value + value + end + end + + test "transform_values without block yieds an enumerator" do + assert_kind_of Enumerator, @params.transform_values + end + + test "transform_values! converts hashes to parameters" do + @params.transform_values! do |value| + assert_kind_of ActionController::Parameters, value + end + end + + test "transform_values! without block yields an enumerator" do + assert_kind_of Enumerator, @params.transform_values! + end + + test "value? returns true if the given value is present in the params" do + params = ActionController::Parameters.new(city: "Chicago", state: "Illinois") + assert params.value?("Chicago") + end + + test "value? returns false if the given value is not present in the params" do + params = ActionController::Parameters.new(city: "Chicago", state: "Illinois") + assert_not params.value?("New York") + end + + test "values returns an array of the values of the params" do + params = ActionController::Parameters.new(city: "Chicago", state: "Illinois") + assert_equal ["Chicago", "Illinois"], params.values end test "values_at retains permitted status" do @params.permit! - assert @params.values_at(:person).first.permitted? - assert @params[:person].values_at(:name).first.permitted? + assert_predicate @params.values_at(:person).first, :permitted? + assert_predicate @params[:person].values_at(:name).first, :permitted? end test "values_at retains unpermitted status" do - assert_not @params.values_at(:person).first.permitted? - assert_not @params[:person].values_at(:name).first.permitted? + assert_not_predicate @params.values_at(:person).first, :permitted? + assert_not_predicate @params[:person].values_at(:name).first, :permitted? + end + + test "is equal to Parameters instance with same params" do + params1 = ActionController::Parameters.new(a: 1, b: 2) + params2 = ActionController::Parameters.new(a: 1, b: 2) + assert(params1 == params2) + end + + test "is equal to Parameters instance with same permitted params" do + params1 = ActionController::Parameters.new(a: 1, b: 2).permit(:a) + params2 = ActionController::Parameters.new(a: 1, b: 2).permit(:a) + assert(params1 == params2) + end + + test "is equal to Parameters instance with same different source params, but same permitted params" do + params1 = ActionController::Parameters.new(a: 1, b: 2).permit(:a) + params2 = ActionController::Parameters.new(a: 1, c: 3).permit(:a) + assert(params1 == params2) + assert(params2 == params1) + end + + test "is not equal to an unpermitted Parameters instance with same params" do + params1 = ActionController::Parameters.new(a: 1).permit(:a) + params2 = ActionController::Parameters.new(a: 1) + assert(params1 != params2) + assert(params2 != params1) + end + + test "is not equal to Parameters instance with different permitted params" do + params1 = ActionController::Parameters.new(a: 1, b: 2).permit(:a, :b) + params2 = ActionController::Parameters.new(a: 1, b: 2).permit(:a) + assert(params1 != params2) + assert(params2 != params1) + end + + test "equality with simple types works" do + assert(@params != "Hello") + assert(@params != 42) + assert(@params != false) + end + + test "inspect shows both class name, parameters and permitted flag" do + assert_equal( + '<ActionController::Parameters {"person"=>{"age"=>"32", '\ + '"name"=>{"first"=>"David", "last"=>"Heinemeier Hansson"}, ' \ + '"addresses"=>[{"city"=>"Chicago", "state"=>"Illinois"}]}} permitted: false>', + @params.inspect + ) + end + + test "inspect prints updated permitted flag in the output" do + assert_match(/permitted: false/, @params.inspect) + + @params.permit! + + assert_match(/permitted: true/, @params.inspect) + end + + test "#dig delegates the dig method to its values" do + assert_equal "David", @params.dig(:person, :name, :first) + assert_equal "Chicago", @params.dig(:person, :addresses, 0, :city) + end + + test "#dig converts hashes to parameters" do + assert_kind_of ActionController::Parameters, @params.dig(:person) + assert_kind_of ActionController::Parameters, @params.dig(:person, :addresses, 0) + assert @params.dig(:person, :addresses).all? do |value| + value.is_a?(ActionController::Parameters) + end + end + + test "mutating #dig return value mutates underlying parameters" do + @params.dig(:person, :name)[:first] = "Bill" + assert_equal "Bill", @params.dig(:person, :name, :first) + + @params.dig(:person, :addresses)[0] = { city: "Boston", state: "Massachusetts" } + assert_equal "Boston", @params.dig(:person, :addresses, 0, :city) end end diff --git a/actionpack/test/controller/parameters/always_permitted_parameters_test.rb b/actionpack/test/controller/parameters/always_permitted_parameters_test.rb index 59be08db54..974612fb7b 100644 --- a/actionpack/test/controller/parameters/always_permitted_parameters_test.rb +++ b/actionpack/test/controller/parameters/always_permitted_parameters_test.rb @@ -1,6 +1,7 @@ -require 'abstract_unit' -require 'action_controller/metal/strong_parameters' -require 'minitest/mock' +# frozen_string_literal: true + +require "abstract_unit" +require "action_controller/metal/strong_parameters" class AlwaysPermittedParametersTest < ActiveSupport::TestCase def setup @@ -13,24 +14,17 @@ class AlwaysPermittedParametersTest < ActiveSupport::TestCase ActionController::Parameters.always_permitted_parameters = %w( controller action ) end - test "shows deprecations warning on NEVER_UNPERMITTED_PARAMS" do - assert_deprecated do - ActionController::Parameters::NEVER_UNPERMITTED_PARAMS - end - end - test "returns super on missing constant other than NEVER_UNPERMITTED_PARAMS" do ActionController::Parameters.superclass.stub :const_missing, "super" do assert_equal "super", ActionController::Parameters::NON_EXISTING_CONSTANT end end - test "permits parameters that are whitelisted" do - params = ActionController::Parameters.new({ + test "allows both explicitly listed and always-permitted parameters" do + params = ActionController::Parameters.new( book: { pages: 65 }, - format: "json" - }) + format: "json") permitted = params.permit book: [:pages] - assert permitted.permitted? + assert_predicate permitted, :permitted? end end diff --git a/actionpack/test/controller/parameters/dup_test.rb b/actionpack/test/controller/parameters/dup_test.rb new file mode 100644 index 0000000000..5403fc6d93 --- /dev/null +++ b/actionpack/test/controller/parameters/dup_test.rb @@ -0,0 +1,67 @@ +# frozen_string_literal: true + +require "abstract_unit" +require "action_controller/metal/strong_parameters" +require "active_support/core_ext/object/deep_dup" + +class ParametersDupTest < ActiveSupport::TestCase + setup do + ActionController::Parameters.permit_all_parameters = false + + @params = ActionController::Parameters.new( + person: { + age: "32", + name: { + first: "David", + last: "Heinemeier Hansson" + }, + addresses: [{ city: "Chicago", state: "Illinois" }] + } + ) + end + + test "a duplicate maintains the original's permitted status" do + @params.permit! + dupped_params = @params.dup + assert_predicate dupped_params, :permitted? + end + + test "a duplicate maintains the original's parameters" do + @params.permit! + dupped_params = @params.dup + assert_equal @params.to_h, dupped_params.to_h + end + + test "changes to a duplicate's parameters do not affect the original" do + dupped_params = @params.dup + dupped_params.delete(:person) + assert_not_equal @params, dupped_params + end + + test "changes to a duplicate's permitted status do not affect the original" do + dupped_params = @params.dup + dupped_params.permit! + assert_not_equal @params, dupped_params + end + + test "deep_dup content" do + dupped_params = @params.deep_dup + dupped_params[:person][:age] = "45" + dupped_params[:person][:addresses].clear + + assert_not_equal @params[:person][:age], dupped_params[:person][:age] + assert_not_equal @params[:person][:addresses], dupped_params[:person][:addresses] + end + + test "deep_dup @permitted" do + dupped_params = @params.deep_dup + dupped_params.permit! + + assert_not_predicate @params, :permitted? + end + + test "deep_dup @permitted is being copied" do + @params.permit! + assert_predicate @params.deep_dup, :permitted? + end +end diff --git a/actionpack/test/controller/parameters/log_on_unpermitted_params_test.rb b/actionpack/test/controller/parameters/log_on_unpermitted_params_test.rb index 9ce04b9aeb..fc9229ca1d 100644 --- a/actionpack/test/controller/parameters/log_on_unpermitted_params_test.rb +++ b/actionpack/test/controller/parameters/log_on_unpermitted_params_test.rb @@ -1,5 +1,7 @@ -require 'abstract_unit' -require 'action_controller/metal/strong_parameters' +# frozen_string_literal: true + +require "abstract_unit" +require "action_controller/metal/strong_parameters" class LogOnUnpermittedParamsTest < ActiveSupport::TestCase def setup @@ -11,62 +13,58 @@ class LogOnUnpermittedParamsTest < ActiveSupport::TestCase end test "logs on unexpected param" do - params = ActionController::Parameters.new({ + params = ActionController::Parameters.new( book: { pages: 65 }, - fishing: "Turnips" - }) + fishing: "Turnips") - assert_logged("Unpermitted parameter: fishing") do + assert_logged("Unpermitted parameter: :fishing") do params.permit(book: [:pages]) end end test "logs on unexpected params" do - params = ActionController::Parameters.new({ + params = ActionController::Parameters.new( book: { pages: 65 }, fishing: "Turnips", - car: "Mersedes" - }) + car: "Mersedes") - assert_logged("Unpermitted parameters: fishing, car") do + assert_logged("Unpermitted parameters: :fishing, :car") do params.permit(book: [:pages]) end end test "logs on unexpected nested param" do - params = ActionController::Parameters.new({ - book: { pages: 65, title: "Green Cats and where to find then." } - }) + params = ActionController::Parameters.new( + book: { pages: 65, title: "Green Cats and where to find then." }) - assert_logged("Unpermitted parameter: title") do + assert_logged("Unpermitted parameter: :title") do params.permit(book: [:pages]) end end test "logs on unexpected nested params" do - params = ActionController::Parameters.new({ - book: { pages: 65, title: "Green Cats and where to find then.", author: "G. A. Dog" } - }) + params = ActionController::Parameters.new( + book: { pages: 65, title: "Green Cats and where to find then.", author: "G. A. Dog" }) - assert_logged("Unpermitted parameters: title, author") do + assert_logged("Unpermitted parameters: :title, :author") do params.permit(book: [:pages]) end end private - def assert_logged(message) - old_logger = ActionController::Base.logger - log = StringIO.new - ActionController::Base.logger = Logger.new(log) + def assert_logged(message) + old_logger = ActionController::Base.logger + log = StringIO.new + ActionController::Base.logger = Logger.new(log) - begin - yield + begin + yield - log.rewind - assert_match message, log.read - ensure - ActionController::Base.logger = old_logger + log.rewind + assert_match message, log.read + ensure + ActionController::Base.logger = old_logger + end end - end end diff --git a/actionpack/test/controller/parameters/multi_parameter_attributes_test.rb b/actionpack/test/controller/parameters/multi_parameter_attributes_test.rb index 15338059bc..c890839727 100644 --- a/actionpack/test/controller/parameters/multi_parameter_attributes_test.rb +++ b/actionpack/test/controller/parameters/multi_parameter_attributes_test.rb @@ -1,9 +1,11 @@ -require 'abstract_unit' -require 'action_controller/metal/strong_parameters' +# frozen_string_literal: true + +require "abstract_unit" +require "action_controller/metal/strong_parameters" class MultiParameterAttributesTest < ActiveSupport::TestCase test "permitted multi-parameter attribute keys" do - params = ActionController::Parameters.new({ + params = ActionController::Parameters.new( book: { "shipped_at(1i)" => "2012", "shipped_at(2i)" => "3", @@ -15,12 +17,11 @@ class MultiParameterAttributesTest < ActiveSupport::TestCase "published_at(3i)" => "5", "price(1)" => "R$", "price(2f)" => "2.02" - } - }) + }) permitted = params.permit book: [ :shipped_at, :price ] - assert permitted.permitted? + assert_predicate permitted, :permitted? assert_equal "2012", permitted[:book]["shipped_at(1i)"] assert_equal "3", permitted[:book]["shipped_at(2i)"] diff --git a/actionpack/test/controller/parameters/mutators_test.rb b/actionpack/test/controller/parameters/mutators_test.rb index 744d8664be..312b1e5b27 100644 --- a/actionpack/test/controller/parameters/mutators_test.rb +++ b/actionpack/test/controller/parameters/mutators_test.rb @@ -1,99 +1,121 @@ -require 'abstract_unit' -require 'action_controller/metal/strong_parameters' -require 'active_support/core_ext/hash/transform_values' +# frozen_string_literal: true + +require "abstract_unit" +require "action_controller/metal/strong_parameters" class ParametersMutatorsTest < ActiveSupport::TestCase setup do @params = ActionController::Parameters.new( person: { - age: '32', + age: "32", name: { - first: 'David', - last: 'Heinemeier Hansson' + first: "David", + last: "Heinemeier Hansson" }, - addresses: [{city: 'Chicago', state: 'Illinois'}] + addresses: [{ city: "Chicago", state: "Illinois" }] } ) end test "delete retains permitted status" do @params.permit! - assert @params.delete(:person).permitted? + assert_predicate @params.delete(:person), :permitted? end test "delete retains unpermitted status" do - assert_not @params.delete(:person).permitted? + assert_not_predicate @params.delete(:person), :permitted? + end + + test "delete returns the value when the key is present" do + assert_equal "32", @params[:person].delete(:age) + end + + test "delete removes the entry when the key present" do + @params[:person].delete(:age) + assert_not @params[:person].key?(:age) + end + + test "delete returns nil when the key is not present" do + assert_nil @params[:person].delete(:first_name) + end + + test "delete returns the value of the given block when the key is not present" do + assert_equal "David", @params[:person].delete(:first_name) { "David" } + end + + test "delete yields the key to the given block when the key is not present" do + assert_equal "first_name: David", @params[:person].delete(:first_name) { |k| "#{k}: David" } end test "delete_if retains permitted status" do @params.permit! - assert @params.delete_if { |k| k == "person" }.permitted? + assert_predicate @params.delete_if { |k| k == "person" }, :permitted? end test "delete_if retains unpermitted status" do - assert_not @params.delete_if { |k| k == "person" }.permitted? + assert_not_predicate @params.delete_if { |k| k == "person" }, :permitted? end test "extract! retains permitted status" do @params.permit! - assert @params.extract!(:person).permitted? + assert_predicate @params.extract!(:person), :permitted? end test "extract! retains unpermitted status" do - assert_not @params.extract!(:person).permitted? + assert_not_predicate @params.extract!(:person), :permitted? end test "keep_if retains permitted status" do @params.permit! - assert @params.keep_if { |k,v| k == "person" }.permitted? + assert_predicate @params.keep_if { |k, v| k == "person" }, :permitted? end test "keep_if retains unpermitted status" do - assert_not @params.keep_if { |k,v| k == "person" }.permitted? + assert_not_predicate @params.keep_if { |k, v| k == "person" }, :permitted? end test "reject! retains permitted status" do @params.permit! - assert @params.reject! { |k| k == "person" }.permitted? + assert_predicate @params.reject! { |k| k == "person" }, :permitted? end test "reject! retains unpermitted status" do - assert_not @params.reject! { |k| k == "person" }.permitted? + assert_not_predicate @params.reject! { |k| k == "person" }, :permitted? end test "select! retains permitted status" do @params.permit! - assert @params.select! { |k| k != "person" }.permitted? + assert_predicate @params.select! { |k| k != "person" }, :permitted? end test "select! retains unpermitted status" do - assert_not @params.select! { |k| k != "person" }.permitted? + assert_not_predicate @params.select! { |k| k != "person" }, :permitted? end test "slice! retains permitted status" do @params.permit! - assert @params.slice!(:person).permitted? + assert_predicate @params.slice!(:person), :permitted? end test "slice! retains unpermitted status" do - assert_not @params.slice!(:person).permitted? + assert_not_predicate @params.slice!(:person), :permitted? end test "transform_keys! retains permitted status" do @params.permit! - assert @params.transform_keys! { |k| k }.permitted? + assert_predicate @params.transform_keys! { |k| k }, :permitted? end test "transform_keys! retains unpermitted status" do - assert_not @params.transform_keys! { |k| k }.permitted? + assert_not_predicate @params.transform_keys! { |k| k }, :permitted? end test "transform_values! retains permitted status" do @params.permit! - assert @params.transform_values! { |v| v }.permitted? + assert_predicate @params.transform_values! { |v| v }, :permitted? end test "transform_values! retains unpermitted status" do - assert_not @params.transform_values! { |v| v }.permitted? + assert_not_predicate @params.transform_values! { |v| v }, :permitted? end end diff --git a/actionpack/test/controller/parameters/nested_parameters_permit_test.rb b/actionpack/test/controller/parameters/nested_parameters_permit_test.rb new file mode 100644 index 0000000000..1403e224c0 --- /dev/null +++ b/actionpack/test/controller/parameters/nested_parameters_permit_test.rb @@ -0,0 +1,184 @@ +# frozen_string_literal: true + +require "abstract_unit" +require "action_controller/metal/strong_parameters" + +class NestedParametersPermitTest < ActiveSupport::TestCase + def assert_filtered_out(params, key) + assert_not params.has_key?(key), "key #{key.inspect} has not been filtered out" + end + + test "permitted nested parameters" do + params = ActionController::Parameters.new( + book: { + title: "Romeo and Juliet", + authors: [{ + name: "William Shakespeare", + born: "1564-04-26" + }, { + name: "Christopher Marlowe" + }, { + name: %w(malicious injected names) + }], + details: { + pages: 200, + genre: "Tragedy" + }, + id: { + isbn: "x" + } + }, + magazine: "Mjallo!") + + permitted = params.permit book: [ :title, { authors: [ :name ] }, { details: :pages }, :id ] + + assert_predicate permitted, :permitted? + assert_equal "Romeo and Juliet", permitted[:book][:title] + assert_equal "William Shakespeare", permitted[:book][:authors][0][:name] + assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name] + assert_equal 200, permitted[:book][:details][:pages] + + assert_filtered_out permitted, :magazine + assert_filtered_out permitted[:book], :id + assert_filtered_out permitted[:book][:details], :genre + assert_filtered_out permitted[:book][:authors][0], :born + assert_filtered_out permitted[:book][:authors][2], :name + end + + test "permitted nested parameters with a string or a symbol as a key" do + params = ActionController::Parameters.new( + book: { + "authors" => [ + { name: "William Shakespeare", born: "1564-04-26" }, + { name: "Christopher Marlowe" } + ] + }) + + permitted = params.permit book: [ { "authors" => [ :name ] } ] + + assert_equal "William Shakespeare", permitted[:book]["authors"][0][:name] + assert_equal "William Shakespeare", permitted[:book][:authors][0][:name] + assert_equal "Christopher Marlowe", permitted[:book]["authors"][1][:name] + assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name] + + permitted = params.permit book: [ { authors: [ :name ] } ] + + assert_equal "William Shakespeare", permitted[:book]["authors"][0][:name] + assert_equal "William Shakespeare", permitted[:book][:authors][0][:name] + assert_equal "Christopher Marlowe", permitted[:book]["authors"][1][:name] + assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name] + end + + test "nested arrays with strings" do + params = ActionController::Parameters.new( + book: { + genres: ["Tragedy"] + }) + + permitted = params.permit book: { genres: [] } + assert_equal ["Tragedy"], permitted[:book][:genres] + end + + test "permit may specify symbols or strings" do + params = ActionController::Parameters.new( + book: { + title: "Romeo and Juliet", + author: "William Shakespeare" + }, + magazine: "Shakespeare Today") + + permitted = params.permit({ book: ["title", :author] }, "magazine") + assert_equal "Romeo and Juliet", permitted[:book][:title] + assert_equal "William Shakespeare", permitted[:book][:author] + assert_equal "Shakespeare Today", permitted[:magazine] + end + + test "nested array with strings that should be hashes" do + params = ActionController::Parameters.new( + book: { + genres: ["Tragedy"] + }) + + permitted = params.permit book: { genres: :type } + assert_empty permitted[:book][:genres] + end + + test "nested array with strings that should be hashes and additional values" do + params = ActionController::Parameters.new( + book: { + title: "Romeo and Juliet", + genres: ["Tragedy"] + }) + + permitted = params.permit book: [ :title, { genres: :type } ] + assert_equal "Romeo and Juliet", permitted[:book][:title] + assert_empty permitted[:book][:genres] + end + + test "nested string that should be a hash" do + params = ActionController::Parameters.new( + book: { + genre: "Tragedy" + }) + + permitted = params.permit book: { genre: :type } + assert_nil permitted[:book][:genre] + end + + test "fields_for-style nested params" do + params = ActionController::Parameters.new( + book: { + authors_attributes: { + '0': { name: "William Shakespeare", age_of_death: "52" }, + '1': { name: "Unattributed Assistant" }, + '2': { name: %w(injected names) } + } + }) + permitted = params.permit book: { authors_attributes: [ :name ] } + + assert_not_nil permitted[:book][:authors_attributes]["0"] + assert_not_nil permitted[:book][:authors_attributes]["1"] + assert_empty permitted[:book][:authors_attributes]["2"] + assert_equal "William Shakespeare", permitted[:book][:authors_attributes]["0"][:name] + assert_equal "Unattributed Assistant", permitted[:book][:authors_attributes]["1"][:name] + + assert_equal( + { "book" => { "authors_attributes" => { "0" => { "name" => "William Shakespeare" }, "1" => { "name" => "Unattributed Assistant" }, "2" => {} } } }, + permitted.to_h + ) + + assert_filtered_out permitted[:book][:authors_attributes]["0"], :age_of_death + end + + test "fields_for-style nested params with negative numbers" do + params = ActionController::Parameters.new( + book: { + authors_attributes: { + '-1': { name: "William Shakespeare", age_of_death: "52" }, + '-2': { name: "Unattributed Assistant" } + } + }) + permitted = params.permit book: { authors_attributes: [:name] } + + assert_not_nil permitted[:book][:authors_attributes]["-1"] + assert_not_nil permitted[:book][:authors_attributes]["-2"] + assert_equal "William Shakespeare", permitted[:book][:authors_attributes]["-1"][:name] + assert_equal "Unattributed Assistant", permitted[:book][:authors_attributes]["-2"][:name] + + assert_filtered_out permitted[:book][:authors_attributes]["-1"], :age_of_death + end + + test "nested number as key" do + params = ActionController::Parameters.new( + product: { + properties: { + "0" => "prop0", + "1" => "prop1" + } + }) + params = params.require(:product).permit(properties: ["0"]) + assert_not_nil params[:properties]["0"] + assert_nil params[:properties]["1"] + assert_equal "prop0", params[:properties]["0"] + end +end diff --git a/actionpack/test/controller/parameters/nested_parameters_test.rb b/actionpack/test/controller/parameters/nested_parameters_test.rb deleted file mode 100644 index 3b1257e8d5..0000000000 --- a/actionpack/test/controller/parameters/nested_parameters_test.rb +++ /dev/null @@ -1,187 +0,0 @@ -require 'abstract_unit' -require 'action_controller/metal/strong_parameters' - -class NestedParametersTest < ActiveSupport::TestCase - def assert_filtered_out(params, key) - assert !params.has_key?(key), "key #{key.inspect} has not been filtered out" - end - - test "permitted nested parameters" do - params = ActionController::Parameters.new({ - book: { - title: "Romeo and Juliet", - authors: [{ - name: "William Shakespeare", - born: "1564-04-26" - }, { - name: "Christopher Marlowe" - }, { - name: %w(malicious injected names) - }], - details: { - pages: 200, - genre: "Tragedy" - }, - id: { - isbn: 'x' - } - }, - magazine: "Mjallo!" - }) - - permitted = params.permit book: [ :title, { authors: [ :name ] }, { details: :pages }, :id ] - - assert permitted.permitted? - assert_equal "Romeo and Juliet", permitted[:book][:title] - assert_equal "William Shakespeare", permitted[:book][:authors][0][:name] - assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name] - assert_equal 200, permitted[:book][:details][:pages] - - assert_filtered_out permitted, :magazine - assert_filtered_out permitted[:book], :id - assert_filtered_out permitted[:book][:details], :genre - assert_filtered_out permitted[:book][:authors][0], :born - assert_filtered_out permitted[:book][:authors][2], :name - end - - test "permitted nested parameters with a string or a symbol as a key" do - params = ActionController::Parameters.new({ - book: { - 'authors' => [ - { name: 'William Shakespeare', born: '1564-04-26' }, - { name: 'Christopher Marlowe' } - ] - } - }) - - permitted = params.permit book: [ { 'authors' => [ :name ] } ] - - assert_equal 'William Shakespeare', permitted[:book]['authors'][0][:name] - assert_equal 'William Shakespeare', permitted[:book][:authors][0][:name] - assert_equal 'Christopher Marlowe', permitted[:book]['authors'][1][:name] - assert_equal 'Christopher Marlowe', permitted[:book][:authors][1][:name] - - permitted = params.permit book: [ { authors: [ :name ] } ] - - assert_equal 'William Shakespeare', permitted[:book]['authors'][0][:name] - assert_equal 'William Shakespeare', permitted[:book][:authors][0][:name] - assert_equal 'Christopher Marlowe', permitted[:book]['authors'][1][:name] - assert_equal 'Christopher Marlowe', permitted[:book][:authors][1][:name] - end - - test "nested arrays with strings" do - params = ActionController::Parameters.new({ - book: { - genres: ["Tragedy"] - } - }) - - permitted = params.permit book: {genres: []} - assert_equal ["Tragedy"], permitted[:book][:genres] - end - - test "permit may specify symbols or strings" do - params = ActionController::Parameters.new({ - book: { - title: "Romeo and Juliet", - author: "William Shakespeare" - }, - magazine: "Shakespeare Today" - }) - - permitted = params.permit({book: ["title", :author]}, "magazine") - assert_equal "Romeo and Juliet", permitted[:book][:title] - assert_equal "William Shakespeare", permitted[:book][:author] - assert_equal "Shakespeare Today", permitted[:magazine] - end - - test "nested array with strings that should be hashes" do - params = ActionController::Parameters.new({ - book: { - genres: ["Tragedy"] - } - }) - - permitted = params.permit book: { genres: :type } - assert_empty permitted[:book][:genres] - end - - test "nested array with strings that should be hashes and additional values" do - params = ActionController::Parameters.new({ - book: { - title: "Romeo and Juliet", - genres: ["Tragedy"] - } - }) - - permitted = params.permit book: [ :title, { genres: :type } ] - assert_equal "Romeo and Juliet", permitted[:book][:title] - assert_empty permitted[:book][:genres] - end - - test "nested string that should be a hash" do - params = ActionController::Parameters.new({ - book: { - genre: "Tragedy" - } - }) - - permitted = params.permit book: { genre: :type } - assert_nil permitted[:book][:genre] - end - - test "fields_for-style nested params" do - params = ActionController::Parameters.new({ - book: { - authors_attributes: { - :'0' => { name: 'William Shakespeare', age_of_death: '52' }, - :'1' => { name: 'Unattributed Assistant' }, - :'2' => { name: %w(injected names)} - } - } - }) - permitted = params.permit book: { authors_attributes: [ :name ] } - - assert_not_nil permitted[:book][:authors_attributes]['0'] - assert_not_nil permitted[:book][:authors_attributes]['1'] - assert_empty permitted[:book][:authors_attributes]['2'] - assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][:name] - assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][:name] - - assert_filtered_out permitted[:book][:authors_attributes]['0'], :age_of_death - end - - test "fields_for-style nested params with negative numbers" do - params = ActionController::Parameters.new({ - book: { - authors_attributes: { - :'-1' => { name: 'William Shakespeare', age_of_death: '52' }, - :'-2' => { name: 'Unattributed Assistant' } - } - } - }) - permitted = params.permit book: { authors_attributes: [:name] } - - assert_not_nil permitted[:book][:authors_attributes]['-1'] - assert_not_nil permitted[:book][:authors_attributes]['-2'] - assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name] - assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name] - - assert_filtered_out permitted[:book][:authors_attributes]['-1'], :age_of_death - end - - test "nested number as key" do - params = ActionController::Parameters.new({ - product: { - properties: { - '0' => "prop0", - '1' => "prop1" - } - } - }) - params = params.require(:product).permit(:properties => ["0"]) - assert_not_nil params[:properties]["0"] - assert_nil params[:properties]["1"] - assert_equal "prop0", params[:properties]["0"] - end -end diff --git a/actionpack/test/controller/parameters/parameters_permit_test.rb b/actionpack/test/controller/parameters/parameters_permit_test.rb index 2ed486516d..d2fa0aa16e 100644 --- a/actionpack/test/controller/parameters/parameters_permit_test.rb +++ b/actionpack/test/controller/parameters/parameters_permit_test.rb @@ -1,42 +1,65 @@ -require 'abstract_unit' -require 'action_dispatch/http/upload' -require 'action_controller/metal/strong_parameters' +# frozen_string_literal: true + +require "abstract_unit" +require "action_dispatch/http/upload" +require "action_controller/metal/strong_parameters" class ParametersPermitTest < ActiveSupport::TestCase def assert_filtered_out(params, key) - assert !params.has_key?(key), "key #{key.inspect} has not been filtered out" + assert_not params.has_key?(key), "key #{key.inspect} has not been filtered out" end setup do @params = ActionController::Parameters.new( person: { - age: '32', + age: "32", name: { - first: 'David', - last: 'Heinemeier Hansson' + first: "David", + last: "Heinemeier Hansson" }, - addresses: [{city: 'Chicago', state: 'Illinois'}] + addresses: [{ city: "Chicago", state: "Illinois" }] } ) @struct_fields = [] %w(0 1 12).each do |number| - ['', 'i', 'f'].each do |suffix| + ["", "i", "f"].each do |suffix| @struct_fields << "sf(#{number}#{suffix})" end end end - test 'if nothing is permitted, the hash becomes empty' do - params = ActionController::Parameters.new(id: '1234') + def walk_permitted(params) + params.each do |k, v| + case v + when ActionController::Parameters + walk_permitted v + when Array + v.each { |x| walk_permitted v } + end + end + end + + test "iteration should not impact permit" do + hash = { "foo" => { "bar" => { "0" => { "baz" => "hello", "zot" => "1" } } } } + params = ActionController::Parameters.new(hash) + + walk_permitted params + + sanitized = params[:foo].permit(bar: [:baz]) + assert_equal({ "0" => { "baz" => "hello" } }, sanitized[:bar].to_unsafe_h) + end + + test "if nothing is permitted, the hash becomes empty" do + params = ActionController::Parameters.new(id: "1234") permitted = params.permit - assert permitted.permitted? - assert permitted.empty? + assert_predicate permitted, :permitted? + assert_empty permitted end - test 'key: permitted scalar values' do - values = ['a', :a, nil] - values += [0, 1.0, 2**128, BigDecimal.new(1)] + test "key: permitted scalar values" do + values = ["a", :a, nil] + values += [0, 1.0, 2**128, BigDecimal(1)] values += [true, false] values += [Date.today, Time.now, DateTime.now] values += [STDOUT, StringIO.new, ActionDispatch::Http::UploadedFile.new(tempfile: __FILE__), @@ -45,25 +68,33 @@ class ParametersPermitTest < ActiveSupport::TestCase values.each do |value| params = ActionController::Parameters.new(id: value) permitted = params.permit(:id) - assert_equal value, permitted[:id] + if value.nil? + assert_nil permitted[:id] + else + assert_equal value, permitted[:id] + end @struct_fields.each do |sf| params = ActionController::Parameters.new(sf => value) permitted = params.permit(:sf) - assert_equal value, permitted[sf] + if value.nil? + assert_nil permitted[sf] + else + assert_equal value, permitted[sf] + end end end end - test 'key: unknown keys are filtered out' do - params = ActionController::Parameters.new(id: '1234', injected: 'injected') + test "key: unknown keys are filtered out" do + params = ActionController::Parameters.new(id: "1234", injected: "injected") permitted = params.permit(:id) - assert_equal '1234', permitted[:id] + assert_equal "1234", permitted[:id] assert_filtered_out permitted, :injected end - test 'key: arrays are filtered out' do - [[], [1], ['1']].each do |array| + test "key: arrays are filtered out" do + [[], [1], ["1"]].each do |array| params = ActionController::Parameters.new(id: array) permitted = params.permit(:id) assert_filtered_out permitted, :id @@ -76,8 +107,8 @@ class ParametersPermitTest < ActiveSupport::TestCase end end - test 'key: hashes are filtered out' do - [{}, {foo: 1}, {foo: 'bar'}].each do |hash| + test "key: hashes are filtered out" do + [{}, { foo: 1 }, { foo: "bar" }].each do |hash| params = ActionController::Parameters.new(id: hash) permitted = params.permit(:id) assert_filtered_out permitted, :id @@ -90,7 +121,7 @@ class ParametersPermitTest < ActiveSupport::TestCase end end - test 'key: non-permitted scalar values are filtered out' do + test "key: non-permitted scalar values are filtered out" do params = ActionController::Parameters.new(id: Object.new) permitted = params.permit(:id) assert_filtered_out permitted, :id @@ -102,51 +133,84 @@ class ParametersPermitTest < ActiveSupport::TestCase end end - test 'key: it is not assigned if not present in params' do - params = ActionController::Parameters.new(name: 'Joe') + test "key: it is not assigned if not present in params" do + params = ActionController::Parameters.new(name: "Joe") permitted = params.permit(:id) - assert !permitted.has_key?(:id) + assert_not permitted.has_key?(:id) end - test 'key to empty array: empty arrays pass' do + test "key to empty array: empty arrays pass" do params = ActionController::Parameters.new(id: []) permitted = params.permit(id: []) assert_equal [], permitted[:id] end - test 'do not break params filtering on nil values' do + test "do not break params filtering on nil values" do params = ActionController::Parameters.new(a: 1, b: [1, 2, 3], c: nil) permitted = params.permit(:a, c: [], b: []) assert_equal 1, permitted[:a] assert_equal [1, 2, 3], permitted[:b] - assert_equal nil, permitted[:c] + assert_nil permitted[:c] end - test 'key to empty array: arrays of permitted scalars pass' do - [['foo'], [1], ['foo', 'bar'], [1, 2, 3]].each do |array| + test "key to empty array: arrays of permitted scalars pass" do + [["foo"], [1], ["foo", "bar"], [1, 2, 3]].each do |array| params = ActionController::Parameters.new(id: array) permitted = params.permit(id: []) assert_equal array, permitted[:id] end end - test 'key to empty array: permitted scalar values do not pass' do - ['foo', 1].each do |permitted_scalar| + test "key to empty array: permitted scalar values do not pass" do + ["foo", 1].each do |permitted_scalar| params = ActionController::Parameters.new(id: permitted_scalar) permitted = params.permit(id: []) assert_filtered_out permitted, :id end end - test 'key to empty array: arrays of non-permitted scalar do not pass' do - [[Object.new], [[]], [[1]], [{}], [{id: '1'}]].each do |non_permitted_scalar| + test "key to empty array: arrays of non-permitted scalar do not pass" do + [[Object.new], [[]], [[1]], [{}], [{ id: "1" }]].each do |non_permitted_scalar| params = ActionController::Parameters.new(id: non_permitted_scalar) permitted = params.permit(id: []) assert_filtered_out permitted, :id end end + test "key to empty hash: arbitrary hashes are permitted" do + params = ActionController::Parameters.new( + username: "fxn", + preferences: { + scheme: "Marazul", + font: { + name: "Source Code Pro", + size: 12 + }, + tabstops: [4, 8, 12, 16], + suspicious: [true, Object.new, false, /yo!/], + dubious: [{ a: :a, b: /wtf!/ }, { c: :c }], + injected: Object.new + }, + hacked: 1 # not a hash + ) + + permitted = params.permit(:username, preferences: {}, hacked: {}) + + assert_equal "fxn", permitted[:username] + assert_equal "Marazul", permitted[:preferences][:scheme] + assert_equal "Source Code Pro", permitted[:preferences][:font][:name] + assert_equal 12, permitted[:preferences][:font][:size] + assert_equal [4, 8, 12, 16], permitted[:preferences][:tabstops] + assert_equal [true, false], permitted[:preferences][:suspicious] + assert_equal :a, permitted[:preferences][:dubious][0][:a] + assert_equal :c, permitted[:preferences][:dubious][1][:c] + + assert_filtered_out permitted[:preferences][:dubious][0], :b + assert_filtered_out permitted[:preferences], :injected + assert_filtered_out permitted, :hacked + end + test "fetch raises ParameterMissing exception" do e = assert_raises(ActionController::ParameterMissing) do @params.fetch :foo @@ -157,20 +221,20 @@ class ParametersPermitTest < ActiveSupport::TestCase test "fetch with a default value of a hash does not mutate the object" do params = ActionController::Parameters.new({}) params.fetch :foo, {} - assert_equal nil, params[:foo] + assert_nil params[:foo] end - test 'hashes in array values get wrapped' do + test "hashes in array values get wrapped" do params = ActionController::Parameters.new(foo: [{}, {}]) params[:foo].each do |hash| - assert !hash.permitted? + assert_not_predicate hash, :permitted? end end # Strong params has an optimization to avoid looping every time you read # a key whose value is an array and building a new object. We check that # optimization here. - test 'arrays are converted at most once' do + test "arrays are converted at most once" do params = ActionController::Parameters.new(foo: [{}]) assert_same params[:foo], params[:foo] end @@ -181,12 +245,12 @@ class ParametersPermitTest < ActiveSupport::TestCase # This test checks that if we push a hash to an array (in-place modification) # the cache does not get fooled, the hash is still wrapped as strong params, # and not permitted. - test 'mutated arrays are detected' do - params = ActionController::Parameters.new(users: [{id: 1}]) + test "mutated arrays are detected" do + params = ActionController::Parameters.new(users: [{ id: 1 }]) permitted = params.permit(users: [:id]) - permitted[:users] << {injected: 1} - assert_not permitted[:users].last.permitted? + permitted[:users] << { injected: 1 } + assert_not_predicate permitted[:users].last, :permitted? end test "fetch doesnt raise ParameterMissing exception if there is a default" do @@ -194,13 +258,91 @@ class ParametersPermitTest < ActiveSupport::TestCase assert_equal "monkey", @params.fetch(:foo) { "monkey" } end + test "fetch doesnt raise ParameterMissing exception if there is a default that is nil" do + assert_nil @params.fetch(:foo, nil) + assert_nil @params.fetch(:foo) { nil } + end + + test "KeyError in fetch block should not be covered up" do + params = ActionController::Parameters.new + e = assert_raises(KeyError) do + params.fetch(:missing_key) { {}.fetch(:also_missing) } + end + assert_match(/:also_missing$/, e.message) + end + test "not permitted is sticky beyond merges" do - assert !@params.merge(a: "b").permitted? + assert_not_predicate @params.merge(a: "b"), :permitted? end test "permitted is sticky beyond merges" do @params.permit! - assert @params.merge(a: "b").permitted? + assert_predicate @params.merge(a: "b"), :permitted? + end + + test "merge with parameters" do + other_params = ActionController::Parameters.new(id: "1234").permit! + merged_params = @params.merge(other_params) + + assert merged_params[:id] + end + + test "not permitted is sticky beyond merge!" do + assert_not_predicate @params.merge!(a: "b"), :permitted? + end + + test "permitted is sticky beyond merge!" do + @params.permit! + assert_predicate @params.merge!(a: "b"), :permitted? + end + + test "merge! with parameters" do + other_params = ActionController::Parameters.new(id: "1234").permit! + @params.merge!(other_params) + + assert_equal "1234", @params[:id] + assert_equal "32", @params[:person][:age] + end + + test "#reverse_merge with parameters" do + default_params = ActionController::Parameters.new(id: "1234", person: {}).permit! + merged_params = @params.reverse_merge(default_params) + + assert_equal "1234", merged_params[:id] + assert_not_predicate merged_params[:person], :empty? + end + + test "#with_defaults is an alias of reverse_merge" do + default_params = ActionController::Parameters.new(id: "1234", person: {}).permit! + merged_params = @params.with_defaults(default_params) + + assert_equal "1234", merged_params[:id] + assert_not_predicate merged_params[:person], :empty? + end + + test "not permitted is sticky beyond reverse_merge" do + assert_not_predicate @params.reverse_merge(a: "b"), :permitted? + end + + test "permitted is sticky beyond reverse_merge" do + @params.permit! + assert_predicate @params.reverse_merge(a: "b"), :permitted? + end + + test "#reverse_merge! with parameters" do + default_params = ActionController::Parameters.new(id: "1234", person: {}).permit! + @params.reverse_merge!(default_params) + + assert_equal "1234", @params[:id] + assert_not_predicate @params[:person], :empty? + end + + test "#with_defaults! is an alias of reverse_merge!" do + default_params = ActionController::Parameters.new(id: "1234", person: {}).permit! + @params.with_defaults!(default_params) + + assert_equal "1234", @params[:id] + assert_not_predicate @params[:person], :empty? end test "modifying the parameters" do @@ -211,28 +353,26 @@ class ParametersPermitTest < ActiveSupport::TestCase assert_equal "Jonas", @params[:person][:family][:brother] end - test "permit state is kept on a dup" do - @params.permit! - assert_equal @params.permitted?, @params.dup.permitted? - end - - test "permit is recursive" do + test "permit! is recursive" do + @params[:nested_array] = [[{ x: 2, y: 3 }, { x: 21, y: 42 }]] @params.permit! - assert @params.permitted? - assert @params[:person].permitted? - assert @params[:person][:name].permitted? - assert @params[:person][:addresses][0].permitted? + assert_predicate @params, :permitted? + assert_predicate @params[:person], :permitted? + assert_predicate @params[:person][:name], :permitted? + assert_predicate @params[:person][:addresses][0], :permitted? + assert_predicate @params[:nested_array][0][0], :permitted? + assert_predicate @params[:nested_array][0][1], :permitted? end test "permitted takes a default value when Parameters.permit_all_parameters is set" do begin ActionController::Parameters.permit_all_parameters = true - params = ActionController::Parameters.new({ person: { + params = ActionController::Parameters.new(person: { age: "32", name: { first: "David", last: "Heinemeier Hansson" } - }}) + }) - assert params.slice(:person).permitted? - assert params[:person][:name].permitted? + assert_predicate params.slice(:person), :permitted? + assert_predicate params[:person][:name], :permitted? ensure ActionController::Parameters.permit_all_parameters = false end @@ -242,18 +382,17 @@ class ParametersPermitTest < ActiveSupport::TestCase assert_equal "32", @params[:person].permit([ :age ])[:age] end - test "to_h returns empty hash on unpermitted params" do - assert @params.to_h.is_a? Hash - assert_not @params.to_h.is_a? ActionController::Parameters - assert @params.to_h.empty? + test "to_h raises UnfilteredParameters on unfiltered params" do + assert_raises(ActionController::UnfilteredParameters) do + @params.to_h + end end test "to_h returns converted hash on permitted params" do @params.permit! - assert @params.to_h.is_a? Hash - assert_not @params.to_h.is_a? ActionController::Parameters - assert_equal @params.to_hash, @params.to_h + assert_instance_of ActiveSupport::HashWithIndifferentAccess, @params.to_h + assert_not_kind_of ActionController::Parameters, @params.to_h end test "to_h returns converted hash when .permit_all_parameters is set" do @@ -261,29 +400,117 @@ class ParametersPermitTest < ActiveSupport::TestCase ActionController::Parameters.permit_all_parameters = true params = ActionController::Parameters.new(crab: "Senjougahara Hitagi") - assert params.to_h.is_a? Hash - assert_not @params.to_h.is_a? ActionController::Parameters + assert_instance_of ActiveSupport::HashWithIndifferentAccess, params.to_h + assert_not_kind_of ActionController::Parameters, params.to_h assert_equal({ "crab" => "Senjougahara Hitagi" }, params.to_h) ensure ActionController::Parameters.permit_all_parameters = false end end - test "to_h returns always permitted parameter on unpermitted params" do - params = ActionController::Parameters.new( - controller: "users", - action: "create", - user: { - name: "Sengoku Nadeko" - } - ) + test "to_hash raises UnfilteredParameters on unfiltered params" do + assert_raises(ActionController::UnfilteredParameters) do + @params.to_hash + end + end + + test "to_hash returns converted hash on permitted params" do + @params.permit! + + assert_instance_of Hash, @params.to_hash + assert_not_kind_of ActionController::Parameters, @params.to_hash + end + + test "parameters can be implicit converted to Hash" do + params = ActionController::Parameters.new + params.permit! + + assert_equal({ a: 1 }, { a: 1 }.merge!(params)) + end - assert_equal({ "controller" => "users", "action" => "create" }, params.to_h) + test "to_hash returns converted hash when .permit_all_parameters is set" do + begin + ActionController::Parameters.permit_all_parameters = true + params = ActionController::Parameters.new(crab: "Senjougahara Hitagi") + + assert_instance_of Hash, params.to_hash + assert_not_kind_of ActionController::Parameters, params.to_hash + assert_equal({ "crab" => "Senjougahara Hitagi" }, params.to_hash) + assert_equal({ "crab" => "Senjougahara Hitagi" }, params) + ensure + ActionController::Parameters.permit_all_parameters = false + end end test "to_unsafe_h returns unfiltered params" do - assert @params.to_h.is_a? Hash - assert_not @params.to_h.is_a? ActionController::Parameters - assert_equal @params.to_hash, @params.to_unsafe_h + assert_instance_of ActiveSupport::HashWithIndifferentAccess, @params.to_unsafe_h + assert_not_kind_of ActionController::Parameters, @params.to_unsafe_h + end + + test "to_unsafe_h returns unfiltered params even after accessing few keys" do + params = ActionController::Parameters.new("f" => { "language_facet" => ["Tibetan"] }) + expected = { "f" => { "language_facet" => ["Tibetan"] } } + + assert_instance_of ActionController::Parameters, params["f"] + assert_equal expected, params.to_unsafe_h + end + + test "to_unsafe_h does not mutate the parameters" do + params = ActionController::Parameters.new("f" => { "language_facet" => ["Tibetan"] }) + params[:f] + + params.to_unsafe_h + + assert_not_predicate params, :permitted? + assert_not_predicate params[:f], :permitted? + end + + test "to_h only deep dups Ruby collections" do + company = Class.new do + attr_reader :dupped + def dup; @dupped = true; end + end.new + + params = ActionController::Parameters.new(prem: { likes: %i( dancing ) }) + assert_equal({ "prem" => { "likes" => %i( dancing ) } }, params.permit!.to_h) + + params = ActionController::Parameters.new(companies: [ company, :acme ]) + assert_equal({ "companies" => [ company, :acme ] }, params.permit!.to_h) + assert_not company.dupped + end + + test "to_unsafe_h only deep dups Ruby collections" do + company = Class.new do + attr_reader :dupped + def dup; @dupped = true; end + end.new + + params = ActionController::Parameters.new(prem: { likes: %i( dancing ) }) + assert_equal({ "prem" => { "likes" => %i( dancing ) } }, params.to_unsafe_h) + + params = ActionController::Parameters.new(companies: [ company, :acme ]) + assert_equal({ "companies" => [ company, :acme ] }, params.to_unsafe_h) + assert_not company.dupped + end + + test "include? returns true when the key is present" do + assert @params.include? :person + assert @params.include? "person" + assert_not @params.include? :gorilla + end + + test "scalar values should be filtered when array or hash is specified" do + params = ActionController::Parameters.new(foo: "bar") + + assert params.permit(:foo).has_key?(:foo) + assert_not params.permit(foo: []).has_key?(:foo) + assert_not params.permit(foo: [:bar]).has_key?(:foo) + assert_not params.permit(foo: :bar).has_key?(:foo) + end + + test "#permitted? is false by default" do + params = ActionController::Parameters.new + + assert_equal false, params.permitted? end end diff --git a/actionpack/test/controller/parameters/raise_on_unpermitted_params_test.rb b/actionpack/test/controller/parameters/raise_on_unpermitted_params_test.rb index f9cc9f96f1..4afd3da593 100644 --- a/actionpack/test/controller/parameters/raise_on_unpermitted_params_test.rb +++ b/actionpack/test/controller/parameters/raise_on_unpermitted_params_test.rb @@ -1,5 +1,7 @@ -require 'abstract_unit' -require 'action_controller/metal/strong_parameters' +# frozen_string_literal: true + +require "abstract_unit" +require "action_controller/metal/strong_parameters" class RaiseOnUnpermittedParamsTest < ActiveSupport::TestCase def setup @@ -11,10 +13,9 @@ class RaiseOnUnpermittedParamsTest < ActiveSupport::TestCase end test "raises on unexpected params" do - params = ActionController::Parameters.new({ + params = ActionController::Parameters.new( book: { pages: 65 }, - fishing: "Turnips" - }) + fishing: "Turnips") assert_raises(ActionController::UnpermittedParameters) do params.permit(book: [:pages]) @@ -22,9 +23,8 @@ class RaiseOnUnpermittedParamsTest < ActiveSupport::TestCase end test "raises on unexpected nested params" do - params = ActionController::Parameters.new({ - book: { pages: 65, title: "Green Cats and where to find then." } - }) + params = ActionController::Parameters.new( + book: { pages: 65, title: "Green Cats and where to find then." }) assert_raises(ActionController::UnpermittedParameters) do params.permit(book: [:pages]) diff --git a/actionpack/test/controller/parameters/serialization_test.rb b/actionpack/test/controller/parameters/serialization_test.rb new file mode 100644 index 0000000000..7708c8e4fe --- /dev/null +++ b/actionpack/test/controller/parameters/serialization_test.rb @@ -0,0 +1,54 @@ +# frozen_string_literal: true + +require "abstract_unit" +require "action_controller/metal/strong_parameters" + +class ParametersSerializationTest < ActiveSupport::TestCase + setup do + @old_permitted_parameters = ActionController::Parameters.permit_all_parameters + ActionController::Parameters.permit_all_parameters = false + end + + teardown do + ActionController::Parameters.permit_all_parameters = @old_permitted_parameters + end + + test "yaml serialization" do + params = ActionController::Parameters.new(key: :value) + yaml_dump = YAML.dump(params) + assert_match("--- !ruby/object:ActionController::Parameters", yaml_dump) + assert_match(/parameters: !ruby\/hash:ActiveSupport::HashWithIndifferentAccess\n\s+key: :value/, yaml_dump) + assert_match("permitted: false", yaml_dump) + end + + test "yaml deserialization" do + params = ActionController::Parameters.new(key: :value) + roundtripped = YAML.load(YAML.dump(params)) + + assert_equal params, roundtripped + assert_not_predicate roundtripped, :permitted? + end + + test "yaml backwardscompatible with psych 2.0.8 format" do + params = YAML.load <<~end_of_yaml + --- !ruby/hash:ActionController::Parameters + key: :value + end_of_yaml + + assert_equal :value, params[:key] + assert_not_predicate params, :permitted? + end + + test "yaml backwardscompatible with psych 2.0.9+ format" do + params = YAML.load(<<~end_of_yaml) + --- !ruby/hash-with-ivars:ActionController::Parameters + elements: + key: :value + ivars: + :@permitted: false + end_of_yaml + + assert_equal :value, params[:key] + assert_not_predicate params, :permitted? + end +end |