| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
See bug #21032.
|
| |
|
|
|
| |
It's reasonable to expose different value readers.
|
|
|
|
| |
We can provide a more flexible upgrade experience by warning users they are using unsafe methods instead of forcing the safe API by deprecating before removal. This PR provides this functionality.
|
|
|
|
|
|
| |
Fixes #23026
See discussion at #23026
|
| |
|
|
|
|
|
|
|
| |
- AC::Parameters#convert_parameters_to_hashes should return filtered or
unfiltered values based on whether it is called from `to_h` or `to_unsafe_h`
instead of always defaulting to `to_h`.
- Fixes #22841
|
|
|
|
| |
Fixes #22818
|
|
|
|
|
|
|
|
| |
When calling `to_h` on an `ActionController::Parameters` instance it would
`deep_dup` its internal parameters.
This inadvertently called `dup` on a passed Active Record model which would
create new models. Fix by only dupping Ruby's Arrays and Hashes.
|
|
|
|
|
|
|
| |
This makes these two methods to be more inline with the previous
behavior of Parameters as Parameters used to be inherited from HWIA.
Fixes #21391
|
|
|
|
|
| |
The file [references Rack::Test here](https://github.com/rails/rails/blame/master/actionpack/lib/action_controller/metal/strong_parameters.rb#L671)
so it's better off requiring 'rack/test' in the first place.
|
| |
|
|
|
|
|
| |
AC::Parameters does not inherit from HashWithIndifferentAccess
since #20868 by @sikachu
|
| |
|
| |
|
|
|
|
| |
References #19565.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* A string in the example lacked quotes.
* The tests asserted stuff about :last_name, whereas
test params do not have that key.
* But, the first one passed, why? After hitting my head against
the wall and doing some obscure rituals realized the new
#require had an important typo, wanted to iterate over the
array argument (key), but it ran over its own hash keys
(method #keys).
* Modified the test to prevent the same typo to happen again.
* The second test assigned to an unused variable safe_params
that has been therefore removed.
* Grammar of the second test description.
* Since I was on it, reworded both test descriptions.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This PR adds ability to accept arrays which allows you to require multiple values in one method. so instead of this:
```ruby
params.require(:person).require(:first_name)
params.require(:person).require(:last_name)
```
Here it will be one line for each params, so say if I require 10params, it will be 10lines of repeated code which is not dry. So I have added new method which does this in one line:
```ruby
params.require(:person).require([:first_name, :last_name])
```
Comments welcome
|
| |
|
|
|
|
|
|
|
| |
there is no reason to `convert_hashes_to_parameters` with an assignemt
flag. The caller knows whether or not it wants the value assigned. We
should just change the uncommon case (not writing to the underlying
hash) to just call the conversion method and return that value.
|
|
|
|
|
|
| |
only hashes are converted to parameter objects, so lets add a branch for
them. This also removes a is_a? test for Parameters so we can be
abstracted from the class.
|
|
|
|
|
|
|
|
|
| |
When executing an `ActionController::Parameters#fetch` with a block
that raises a `KeyError` the raised `KeyError` will be rescued and
converted to an `ActionController::ParameterMissing` exception,
covering up the original exception.
[Jonas Schubert Erlandsson & Roque Pinel]
|
|
|
|
|
| |
this way we don't need to call `to_unsafe_h` to get access to ask
questions about the underlying hash
|
|
|
|
| |
now `hash_filter` doesn't need to know about the `Parameters` class
|
|
|
|
|
| |
Since we proved that `element` is always of type `Parameter`, we know
that it will always respond to `permit`, so lets remove this conditional
|
|
|
|
|
|
|
|
| |
`element` can never be a hash because:
1. `slice` returns a Parameters object and calls each on it: https://github.com/rails/rails/blob/cb3f25593b1137e344086364d4b1a52c08e8eb3b/actionpack/lib/action_controller/metal/strong_parameters.rb#L656
2. `each` which is implemented by `each_pair` will call `convert_hashes_to_parameters` on the value: https://github.com/rails/rails/blob/cb3f25593b1137e344086364d4b1a52c08e8eb3b/actionpack/lib/action_controller/metal/strong_parameters.rb#L192-197
3. `convert_hashes_to_parameters` will convert any hash objects in to parameters objects: https://github.com/rails/rails/blob/cb3f25593b1137e344086364d4b1a52c08e8eb3b/actionpack/lib/action_controller/metal/strong_parameters.rb#L550-566
|
|
|
|
|
|
| |
Now that the value is cached on the stack,
`array_of_permitted_scalars_filter` is exactly the same as
`array_of_permitted_scalars?`, so lets just have one
|
|
|
|
|
|
| |
this way the method doesn't have to know what the new params object is,
it just yields to a block. This change also caches the value of
`self[key]` on the stack
|
|
|
|
|
|
| |
We should disconnect `array_of_permitted_scalars_filter` from the
instance so that we can make hash filtering functional. For now, pull
the conditional up out of that method
|
|
|
|
|
|
| |
`ActionController::Parameters#to_h` returns a hash, so lets have
`ActionController::Parameters#to_unsafe_h` return a hash instead of
an `ActiveSupport::HashWithIndifferentAccess` for consistency.
|
| |
|
|
|
|
|
|
|
|
| |
This is another take at #14384 as we decided to wait until `master` is
targeting Rails 5.0. This commit is implementation-complete, as it
guarantees that all the public methods on the hash-inherited Parameters
are still working (based on test case). We can decide to follow-up later
if we want to remove some methods out from Parameters.
|
|\
| |
| |
| |
| |
| | |
vngrs/strong_parameters_unpermitted_parameters_wrong_doc_fix
Fix the documentation about ActionController::UnpermittedParameters [ci skip]
|
|/ |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current implementation of ActionController::Parameters.const_missing
returns `ActionController::Parameters.always_permitted_parameters` even
if its `super` returns a constant without raising error. This prevents its
subclass in a autoloading module/class from taking advantage of
autoloading constants.
class SomeParameters < ActionController::Parameters
def do_something
DefinedSomewhere.do_something
end
end
In the code above, `DefinedSomewhere` is to be autoloaded with
`Module.const_missing` but `ActionController::Parameters.const_missing`
returns `always_permitted_parameters` instead of the autoloaded
constant.
This pull request fixes the issue respecting `const_missing`'s `super`.
|
|
|
|
| |
parts out of active_support.
|
|
|
|
|
|
|
|
|
|
| |
sikachu/permit_all_parameters-thread-safety"
This reverts commit da5cc10e945552da54234f858470238a3fc36767.
Fixes #18091
See also https://github.com/rails/rails/pull/18003#commitcomment-9030909
|
|\
| |
| | |
Add AC::Parameters#to_unsafe_h
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As suggested in #16299([1]), this method should be a new public API for
retrieving unfiltered parameters from `ActionController::Parameters`
object, given that `Parameters#to_hash` will no longer work in Rails
5.0+ as we stop inheriting `Parameters` from `Hash`.
[1]: https://github.com/rails/rails/pull/16299#issuecomment-50220919
|
|/
|
|
|
|
|
| |
As discussed in #16299[1], this attribute is not thread safe and could
potentially create a security issue.
[1]: https://github.com/rails/rails/pull/16299#discussion_r15424533
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current style for warning messages without newlines uses
concatenation of string literals with manual trailing spaces
where needed.
Heredocs have better readability, and with `squish` we can still
produce a single line.
This is a similar use case to the one that motivated defining
`strip_heredoc`, heredocs are super clean.
|
|
|
|
| |
Ruby 1.9.3 does not implement Hash#to_h, so we can't call `super` on it.
|
|
|
|
|
|
|
| |
* `each`
* `each_pair`
* `delete`
* `select!`
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is to make sure that `permitted` status is maintained on the
resulting object.
I found these methods that needs to be redefined by looking for
`self.class.new` in the code.
* extract!
* transform_keys
* transform_values
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`ActionController::Parameters#to_h` now returns a `Hash` with
unpermitted keys removed. This change is to reflect on a security
concern where some method performed on an `ActionController::Parameters`
may yield a `Hash` object which does not maintain `permitted?` status.
If you would like to get a `Hash` with all the keys intact, duplicate
and mark it as permitted before calling `#to_h`.
params = ActionController::Parameters.new(name: 'Senjougahara Hitagi')
params.to_h # => {}
unsafe_params = params.dup.permit!
unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
safe_params = params.permit(:name)
safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
This change is consider a stopgap as we cannot chage the code to stop
`ActionController::Parameters` to inherit from
`HashWithIndifferentAccess` in the next minor release.
Also, adding a CHANGELOG entry to mention that
`ActionController::Parameters` will not inheriting from
`HashWithIndifferentAccess` in the next major version.
|
|\
| |
| |
| |
| |
| | |
Add always permitted parameters as a configurable option.
[Rafael Mendonça França + Gary S. Weaver]
|
| |
| |
| |
| |
| |
| | |
* General style fixes.
* Add changes to configuration guide.
* Add missing tests.
|