aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/metal/strong_parameters.rb
Commit message (Collapse)AuthorAgeFilesLines
* Fix `ActionController::Parameters#==` bugJon Moss2016-01-211-1/+5
| | | | See bug #21032.
* Link to docs instead of listing methodsschneems2016-01-191-5/+7
|
* Add methods to StrongParametersschneems2016-01-191-1/+1
| | | It's reasonable to expose different value readers.
* [close #23084] Deprecated StrongParametersschneems2016-01-191-0/+16
| | | | We can provide a more flexible upgrade experience by warning users they are using unsafe methods instead of forcing the safe API by deprecating before removal. This PR provides this functionality.
* AC::Parameters#at_json: restore Rails 4.2’s valueclaudiob2016-01-121-1/+2
| | | | | | Fixes #23026 See discussion at #23026
* Unneeded &block parametersAkira Matsuda2016-01-121-2/+2
|
* Fix AC::Parameters#to_unsafe_h to return all unfiltered valuesPrathamesh Sonpatki2015-12-311-6/+6
| | | | | | | - AC::Parameters#convert_parameters_to_hashes should return filtered or unfiltered values based on whether it is called from `to_h` or `to_unsafe_h` instead of always defaulting to `to_h`. - Fixes #22841
* Add AC::Parameters#include?Justin Coyne2015-12-291-1/+1
| | | | Fixes #22818
* Only dup Ruby's Hash and Array.Kasper Timm Hansen2015-12-171-2/+18
| | | | | | | | When calling `to_h` on an `ActionController::Parameters` instance it would `deep_dup` its internal parameters. This inadvertently called `dup` on a passed Active Record model which would create new models. Fix by only dupping Ruby's Arrays and Hashes.
* Make Parameters#to_h and #to_unsafe_h return HWIAPrem Sichanugrist2015-12-141-5/+7
| | | | | | | This makes these two methods to be more inline with the previous behavior of Parameters as Parameters used to be inherited from HWIA. Fixes #21391
* Add missing require to strong_parameters.rbclaudiob2015-12-041-0/+1
| | | | | The file [references Rack::Test here](https://github.com/rails/rails/blame/master/actionpack/lib/action_controller/metal/strong_parameters.rb#L671) so it's better off requiring 'rack/test' in the first place.
* Renamed ‘Return’ to ‘Returns’ [ci skip]Ronak Jangir2015-09-281-1/+1
|
* Remove wrong doc line about AC::Parametersclaudiob2015-09-101-3/+2
| | | | | AC::Parameters does not inherit from HashWithIndifferentAccess since #20868 by @sikachu
* fixes example for consistency [ci skip]Xavier Noria2015-08-291-3/+3
|
* swaps words [ci skip]Xavier Noria2015-08-291-1/+1
|
* revamps the docs of strong params require [ci skip]Xavier Noria2015-08-291-9/+40
| | | | References #19565.
* revises 877e42eXavier Noria2015-08-281-2/+2
| | | | | | | | | | | | | | | | | | | | | | * A string in the example lacked quotes. * The tests asserted stuff about :last_name, whereas test params do not have that key. * But, the first one passed, why? After hitting my head against the wall and doing some obscure rituals realized the new #require had an important typo, wanted to iterate over the array argument (key), but it ran over its own hash keys (method #keys). * Modified the test to prevent the same typo to happen again. * The second test assigned to an unused variable safe_params that has been therefore removed. * Grammar of the second test description. * Since I was on it, reworded both test descriptions.
* [Feature] params.require requires array of paramsGaurish Sharma2015-08-281-0/+8
| | | | | | | | | | | | | | | | | This PR adds ability to accept arrays which allows you to require multiple values in one method. so instead of this: ```ruby params.require(:person).require(:first_name) params.require(:person).require(:last_name) ``` Here it will be one line for each params, so say if I require 10params, it will be 10lines of repeated code which is not dry. So I have added new method which does this in one line: ```ruby params.require(:person).require([:first_name, :last_name]) ``` Comments welcome
* [skip ci] Fix minor typoJon Atack2015-08-171-1/+1
|
* drop conditionals in conversion logicAaron Patterson2015-07-211-7/+5
| | | | | | | there is no reason to `convert_hashes_to_parameters` with an assignemt flag. The caller knows whether or not it wants the value assigned. We should just change the uncommon case (not writing to the underlying hash) to just call the conversion method and return that value.
* rearrange logic to use positive branchesAaron Patterson2015-07-211-4/+6
| | | | | | only hashes are converted to parameter objects, so lets add a branch for them. This also removes a is_a? test for Parameters so we can be abstracted from the class.
* Fix exception overwritten for parameters fetch methodRoque Pinel2015-07-181-3/+7
| | | | | | | | | When executing an `ActionController::Parameters#fetch` with a block that raises a `KeyError` the raised `KeyError` will be rescued and converted to an `ActionController::ParameterMissing` exception, covering up the original exception. [Jonas Schubert Erlandsson & Roque Pinel]
* push fields_for_style? in to a protected methodAaron Patterson2015-07-171-5/+5
| | | | | this way we don't need to call `to_unsafe_h` to get access to ask questions about the underlying hash
* push is_a checks up the stackAaron Patterson2015-07-171-13/+13
| | | | now `hash_filter` doesn't need to know about the `Parameters` class
* remove useless conditionalAaron Patterson2015-07-171-1/+0
| | | | | Since we proved that `element` is always of type `Parameter`, we know that it will always respond to `permit`, so lets remove this conditional
* remove useless conditionalsAaron Patterson2015-07-171-2/+2
| | | | | | | | `element` can never be a hash because: 1. `slice` returns a Parameters object and calls each on it: https://github.com/rails/rails/blob/cb3f25593b1137e344086364d4b1a52c08e8eb3b/actionpack/lib/action_controller/metal/strong_parameters.rb#L656 2. `each` which is implemented by `each_pair` will call `convert_hashes_to_parameters` on the value: https://github.com/rails/rails/blob/cb3f25593b1137e344086364d4b1a52c08e8eb3b/actionpack/lib/action_controller/metal/strong_parameters.rb#L192-197 3. `convert_hashes_to_parameters` will convert any hash objects in to parameters objects: https://github.com/rails/rails/blob/cb3f25593b1137e344086364d4b1a52c08e8eb3b/actionpack/lib/action_controller/metal/strong_parameters.rb#L550-566
* remove useless functionAaron Patterson2015-07-171-8/+2
| | | | | | Now that the value is cached on the stack, `array_of_permitted_scalars_filter` is exactly the same as `array_of_permitted_scalars?`, so lets just have one
* stop passing `params` to `array_of_permitted_scalars_filter`Aaron Patterson2015-07-171-4/+6
| | | | | | this way the method doesn't have to know what the new params object is, it just yields to a block. This change also caches the value of `self[key]` on the stack
* push key checking upAaron Patterson2015-07-171-1/+2
| | | | | | We should disconnect `array_of_permitted_scalars_filter` from the instance so that we can make hash filtering functional. For now, pull the conditional up out of that method
* Standardize `ActionController::Parameters#to_unsafe_h` return valueZoltan Kiss2015-07-151-1/+1
| | | | | | `ActionController::Parameters#to_h` returns a hash, so lets have `ActionController::Parameters#to_unsafe_h` return a hash instead of an `ActiveSupport::HashWithIndifferentAccess` for consistency.
* Update documentation on `AC::Parameters`Prem Sichanugrist2015-07-151-6/+32
|
* Make AC::Parameters not inherited from HashPrem Sichanugrist2015-07-151-28/+99
| | | | | | | | This is another take at #14384 as we decided to wait until `master` is targeting Rails 5.0. This commit is implementation-complete, as it guarantees that all the public methods on the hash-inherited Parameters are still working (based on test case). We can decide to follow-up later if we want to remove some methods out from Parameters.
* Merge pull request #20659 from ↵Yves Senn2015-06-221-2/+4
|\ | | | | | | | | | | vngrs/strong_parameters_unpermitted_parameters_wrong_doc_fix Fix the documentation about ActionController::UnpermittedParameters [ci skip]
| * Fix the documentation about ActionController::UnpermittedParameters [ci skip]Mehmet Emin İNAÇ2015-06-221-2/+4
|/
* Fix the documentation about ActionController::ParameterMissing [ci skip]Mehmet Emin İNAÇ2015-06-221-5/+5
|
* fix missing "if" in API docs for ActionController::Parameters#permitMichael Josephson2015-04-061-1/+1
|
* Return super in ActionController::Parameters.const_missingShuhei Kagawa2015-03-281-1/+1
| | | | | | | | | | | | | | | | | | | | | The current implementation of ActionController::Parameters.const_missing returns `ActionController::Parameters.always_permitted_parameters` even if its `super` returns a constant without raising error. This prevents its subclass in a autoloading module/class from taking advantage of autoloading constants. class SomeParameters < ActionController::Parameters def do_something DefinedSomewhere.do_something end end In the code above, `DefinedSomewhere` is to be autoloaded with `Module.const_missing` but `ActionController::Parameters.const_missing` returns `always_permitted_parameters` instead of the autoloaded constant. This pull request fixes the issue respecting `const_missing`'s `super`.
* Removed non-standard and unused require 'active_support/deprecation' from ↵Vipul A M2015-02-271-1/+0
| | | | parts out of active_support.
* Revert "Merge pull request #18003 from ↵Godfrey Chan2014-12-191-11/+6
| | | | | | | | | | sikachu/permit_all_parameters-thread-safety" This reverts commit da5cc10e945552da54234f858470238a3fc36767. Fixes #18091 See also https://github.com/rails/rails/pull/18003#commitcomment-9030909
* Merge pull request #18006 from sikachu/add-params-to_unsafe_hRafael Mendonça França2014-12-121-0/+6
|\ | | | | Add AC::Parameters#to_unsafe_h
| * Add AC::Parameters#to_unsafe_hPrem Sichanugrist2014-12-121-0/+6
| | | | | | | | | | | | | | | | | | As suggested in #16299([1]), this method should be a new public API for retrieving unfiltered parameters from `ActionController::Parameters` object, given that `Parameters#to_hash` will no longer work in Rails 5.0+ as we stop inheriting `Parameters` from `Hash`. [1]: https://github.com/rails/rails/pull/16299#issuecomment-50220919
* | Make AC::Params.permit_all_parameters thread safePrem Sichanugrist2014-12-121-1/+10
|/ | | | | | | As discussed in #16299[1], this attribute is not thread safe and could potentially create a security issue. [1]: https://github.com/rails/rails/pull/16299#discussion_r15424533
* let's warn with heredocsXavier Noria2014-10-281-4/+7
| | | | | | | | | | | | The current style for warning messages without newlines uses concatenation of string literals with manual trailing spaces where needed. Heredocs have better readability, and with `squish` we can still produce a single line. This is a similar use case to the one that motivated defining `strip_heredoc`, heredocs are super clean.
* User `#to_hash` instead of calling `super`Prem Sichanugrist2014-08-181-1/+1
| | | | Ruby 1.9.3 does not implement Hash#to_h, so we can't call `super` on it.
* Fix failing test on several methods on ParameterPrem Sichanugrist2014-08-181-1/+25
| | | | | | | * `each` * `each_pair` * `delete` * `select!`
* Refactor code to reduce duplicate `self.class.new`Prem Sichanugrist2014-08-181-12/+10
|
* Add missing `Hash` methods to `AC::Parameters`Prem Sichanugrist2014-08-181-0/+40
| | | | | | | | | | | | This is to make sure that `permitted` status is maintained on the resulting object. I found these methods that needs to be redefined by looking for `self.class.new` in the code. * extract! * transform_keys * transform_values
* Make `AC::Params#to_h` return Hash with safe keysPrem Sichanugrist2014-08-181-0/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted keys removed. This change is to reflect on a security concern where some method performed on an `ActionController::Parameters` may yield a `Hash` object which does not maintain `permitted?` status. If you would like to get a `Hash` with all the keys intact, duplicate and mark it as permitted before calling `#to_h`. params = ActionController::Parameters.new(name: 'Senjougahara Hitagi') params.to_h # => {} unsafe_params = params.dup.permit! unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"} safe_params = params.permit(:name) safe_params.to_h # => {"name"=>"Senjougahara Hitagi"} This change is consider a stopgap as we cannot chage the code to stop `ActionController::Parameters` to inherit from `HashWithIndifferentAccess` in the next minor release. Also, adding a CHANGELOG entry to mention that `ActionController::Parameters` will not inheriting from `HashWithIndifferentAccess` in the next major version.
* Merge pull request #15933 from rafael/masterRafael Mendonça França2014-06-271-5/+20
|\ | | | | | | | | | | Add always permitted parameters as a configurable option. [Rafael Mendonça França + Gary S. Weaver]
| * Improvements per code review.Rafael Chacón2014-06-271-4/+3
| | | | | | | | | | | | * General style fixes. * Add changes to configuration guide. * Add missing tests.