aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/controller/parameters/parameters_permit_test.rb
Commit message (Collapse)AuthorAgeFilesLines
* Seperate Parameters accessors and mutators testsPrem Sichanugrist2014-08-181-57/+0
|
* Add missing `Hash` methods to `AC::Parameters`Prem Sichanugrist2014-08-181-0/+21
| | | | | | | | | | | | This is to make sure that `permitted` status is maintained on the resulting object. I found these methods that needs to be redefined by looking for `self.class.new` in the code. * extract! * transform_keys * transform_values
* Make `AC::Params#to_h` return Hash with safe keysPrem Sichanugrist2014-08-181-0/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted keys removed. This change is to reflect on a security concern where some method performed on an `ActionController::Parameters` may yield a `Hash` object which does not maintain `permitted?` status. If you would like to get a `Hash` with all the keys intact, duplicate and mark it as permitted before calling `#to_h`. params = ActionController::Parameters.new(name: 'Senjougahara Hitagi') params.to_h # => {} unsafe_params = params.dup.permit! unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"} safe_params = params.permit(:name) safe_params.to_h # => {"name"=>"Senjougahara Hitagi"} This change is consider a stopgap as we cannot chage the code to stop `ActionController::Parameters` to inherit from `HashWithIndifferentAccess` in the next minor release. Also, adding a CHANGELOG entry to mention that `ActionController::Parameters` will not inheriting from `HashWithIndifferentAccess` in the next major version.
* adds some details to the rationale of converted_arrays [ci skip]Xavier Noria2014-06-071-1/+1
|
* adds a regression test for the strong params converted arrays cacheXavier Noria2014-06-071-1/+18
| | | | This is a regression test for 29844dd.
* Revert "Convert StrongParameters cache to a hash. This fixes an unbounded"Xavier Noria2014-06-071-1/+1
| | | | | | | | | | | | | | | | | | | | We cannot cache keys because arrays are mutable. We rather want to cache the arrays. This behaviour is tailor-made for the usage pattern strongs params is designed for. In a forthcoming commit I am going to add a test that covers why we need to cache by value. Every strong params instance has a live span of a request, the cache goes away with the object. Since strong params have such a concrete intention, it would be interesting to see if there are actually any real-world use cases that are an actual leak, one that practically may matter. I am not convinced that the theoretical leak has any practical consequences, but if it can be shown there are, then I believe we should either get rid of the cache (which is an optimization), or else wipe it in the mutating API. This reverts commit e63be2769c039e4e9ada523a8497ce3206cc8a9b.
* Convert StrongParameters cache to a hash. This fixes an unboundedRyan Davis2014-06-031-1/+1
| | | | | | memory leak demonstrated on @tenderlove's latest blog post: http://tenderlovemaking.com/2014/06/02/yagni-methods-are-killing-me.html
* AC::Parameters#permit! permits hashes in array valuesXavier Noria2013-12-231-3/+11
|
* optimizes array conversion in AC::ParametersXavier Noria2013-12-211-0/+5
|
* converts hashes in arrays of unfiltered params to unpermitted params [fixes ↵Xavier Noria2013-12-211-0/+7
| | | | #13382]
* don't mutate hash with fetchDoug Cole2013-10-261-0/+6
|
* do not break params filtering on nil valuesVasiliy Ermolovich2013-09-071-0/+9
| | | | closes #12149
* Rack::Test::UploadedFile is a permitted scalarFabio Kreusch2013-02-211-1/+2
|
* ActionDispatch::Http::UploadedFile is a permitted scalar [Closes #9051]Xavier Noria2013-01-231-1/+2
|
* Lets kepp using Ruby 1.9 syntaxRafael Mendonça França2013-01-221-17/+17
|
* Add missing assert callsCarlos Antonio da Silva2013-01-201-2/+2
|
* strong parameters filters permitted scalarsXavier Noria2013-01-201-4/+121
|
* Test that permitted? is sticky on accessors, mutators, and mergesBenjamin Quorning2012-11-061-0/+24
|
* Test that not permitted is sticky on #exceptBenjamin Quorning2012-11-061-0/+1
|
* Current tests are testing stickiness of non-permitted parametersBenjamin Quorning2012-11-061-3/+3
|
* Fix buggy testsBenjamin Quorning2012-11-061-4/+4
|
* No need for the debuggerDavid Heinemeier Hansson2012-10-311-1/+0
|
* Allow #permit to take its list of permitted parameters as an arrayDavid Heinemeier Hansson2012-10-311-0/+5
|
* Cleanup trailing whitespacesdfens2012-10-121-1/+1
|
* ActionController::Parameters#permit! is recursiveBrendan Loudermilk2012-10-041-0/+7
|
* Add config.action_controller.permit_all_attributes to bypass ↵Guillermo Iguaran2012-09-161-0/+14
| | | | StrongParameters protection
* Change tainted/untainted wording to permitted/forbiddenGuillermo Iguaran2012-09-161-0/+59