| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| |
| |
| |
| | |
vngrs/strong_parameters_unpermitted_parameters_wrong_doc_fix
Fix the documentation about ActionController::UnpermittedParameters [ci skip]
|
|/ |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current implementation of ActionController::Parameters.const_missing
returns `ActionController::Parameters.always_permitted_parameters` even
if its `super` returns a constant without raising error. This prevents its
subclass in a autoloading module/class from taking advantage of
autoloading constants.
class SomeParameters < ActionController::Parameters
def do_something
DefinedSomewhere.do_something
end
end
In the code above, `DefinedSomewhere` is to be autoloaded with
`Module.const_missing` but `ActionController::Parameters.const_missing`
returns `always_permitted_parameters` instead of the autoloaded
constant.
This pull request fixes the issue respecting `const_missing`'s `super`.
|
|
|
|
| |
parts out of active_support.
|
|
|
|
|
|
|
|
|
|
| |
sikachu/permit_all_parameters-thread-safety"
This reverts commit da5cc10e945552da54234f858470238a3fc36767.
Fixes #18091
See also https://github.com/rails/rails/pull/18003#commitcomment-9030909
|
|\
| |
| | |
Add AC::Parameters#to_unsafe_h
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As suggested in #16299([1]), this method should be a new public API for
retrieving unfiltered parameters from `ActionController::Parameters`
object, given that `Parameters#to_hash` will no longer work in Rails
5.0+ as we stop inheriting `Parameters` from `Hash`.
[1]: https://github.com/rails/rails/pull/16299#issuecomment-50220919
|
|/
|
|
|
|
|
| |
As discussed in #16299[1], this attribute is not thread safe and could
potentially create a security issue.
[1]: https://github.com/rails/rails/pull/16299#discussion_r15424533
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current style for warning messages without newlines uses
concatenation of string literals with manual trailing spaces
where needed.
Heredocs have better readability, and with `squish` we can still
produce a single line.
This is a similar use case to the one that motivated defining
`strip_heredoc`, heredocs are super clean.
|
|
|
|
| |
Ruby 1.9.3 does not implement Hash#to_h, so we can't call `super` on it.
|
|
|
|
|
|
|
| |
* `each`
* `each_pair`
* `delete`
* `select!`
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is to make sure that `permitted` status is maintained on the
resulting object.
I found these methods that needs to be redefined by looking for
`self.class.new` in the code.
* extract!
* transform_keys
* transform_values
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`ActionController::Parameters#to_h` now returns a `Hash` with
unpermitted keys removed. This change is to reflect on a security
concern where some method performed on an `ActionController::Parameters`
may yield a `Hash` object which does not maintain `permitted?` status.
If you would like to get a `Hash` with all the keys intact, duplicate
and mark it as permitted before calling `#to_h`.
params = ActionController::Parameters.new(name: 'Senjougahara Hitagi')
params.to_h # => {}
unsafe_params = params.dup.permit!
unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
safe_params = params.permit(:name)
safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
This change is consider a stopgap as we cannot chage the code to stop
`ActionController::Parameters` to inherit from
`HashWithIndifferentAccess` in the next minor release.
Also, adding a CHANGELOG entry to mention that
`ActionController::Parameters` will not inheriting from
`HashWithIndifferentAccess` in the next major version.
|
|\
| |
| |
| |
| |
| | |
Add always permitted parameters as a configurable option.
[Rafael Mendonça França + Gary S. Weaver]
|
| |
| |
| |
| |
| |
| | |
* General style fixes.
* Add changes to configuration guide.
* Add missing tests.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* This commit adds back the always_permitted_parameters
configuration option to strong paramaters.
* The initial pull requests where this feature was added
are the following:
- https://github.com/rails/rails/pull/12682
- https://github.com/rails/strong_parameters/pull/174
|
|\ \
| | |
| | |
| | | |
ActionController::Parameters#require now accepts FalseClass values
|
|/ /
| |
| |
| | |
Fixes #15685.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We cannot cache keys because arrays are mutable. We rather want to cache
the arrays. This behaviour is tailor-made for the usage pattern strongs
params is designed for.
In a forthcoming commit I am going to add a test that covers why we need
to cache by value.
Every strong params instance has a live span of a request, the cache goes
away with the object. Since strong params have such a concrete intention,
it would be interesting to see if there are actually any real-world use
cases that are an actual leak, one that practically may matter.
I am not convinced that the theoretical leak has any practical consequences,
but if it can be shown there are, then I believe we should either get rid of
the cache (which is an optimization), or else wipe it in the mutating API.
This reverts commit e63be2769c039e4e9ada523a8497ce3206cc8a9b.
|
| |
| |
| | |
Per convention, underscore-only argument names should be used for unused parameters.
|
| |
| |
| |
| |
| |
| | |
memory leak demonstrated on @tenderlove's latest blog post:
http://tenderlovemaking.com/2014/06/02/yagni-methods-are-killing-me.html
|
| |
| |
| | |
- accepts_nested_attribute_for -> accepts_nested_attributes_for
|
| |
| |
| |
| | |
when only 1 parameter is unpermitted.
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
AC::Parameters#fetch was refactored in 7171111 to prevent self mutation, but
in doing so it hardcodes logic #convert_hashes_to_parameters is supposed to
encapsulate.
Better leave the delegation, and add a way to avoid mutating self in there.
|
| |
| |
| |
| | |
#13382]
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
sebasoga/change_strong_parameters_require_behaviour"
This reverts commit c2b5a8e61ba0f35015e6ac949a5c8fce2042a1f2, reversing
changes made to 1918b12c0429caec2a6134ac5e5b42ade103fe90.
See: https://github.com/rails/rails/pull/9660#issuecomment-27627493
|
|\ \
| | |
| | |
| | |
| | | |
sebasoga/change_strong_parameters_require_behaviour
Change ActionController::Parameters#require behavior when value is empty
|
| | |
| | |
| | |
| | |
| | | |
When the value for the required key is empty an ActionController::ParameterMissing is raised which gets caught by ActionController::Base and turned into a 400 Bad Request reply with a message in the body saying the key is missing, which is misleading.
With these changes, ActionController::EmptyParameter will be raised which ActionController::Base will catch and turn into a 400 Bad Request reply with a message in the body saying the key value is empty.
|
| |/
|/| |
|
| | |
|
| |
| |
| |
| | |
closes #12149
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
|/ |
|
| |
|
| |
|
| |
|
|
|
|
| |
action_on_unpermitted_parameters is present
|
|
|
|
| |
This was a suggestion of @carlosantoniodasilva, thanks!
|
|
|
|
| |
Grep already yields the matching keys to the given block.
|