aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/controller/parameters/parameters_permit_test.rb
Commit message (Collapse)AuthorAgeFilesLines
* call `.to_h` to avoid using deprecated methodyuuji.yaginuma2016-09-071-0/+7
| | | | | | | | | | | `ActionController::Parameters#merge` call `HashWithIndifferentAccess#merge`. In addition, it calls `HashWithIndifferentAccess#update` from `HashWithIndifferentAccess#merge`, where it is called the `#to_hash` of argument. But `ActionController::Parameters#to_hash` is deprecated, warning message is displayed. To avoid this, modify to convert object to `Hash`. Fixes #26415
* Add three new rubocop rulesRafael Mendonça França2016-08-161-9/+9
| | | | | | | | Style/SpaceBeforeBlockBraces Style/SpaceInsideBlockBraces Style/SpaceInsideHashLiteralBraces Fix all violations in the repository.
* applies remaining conventions across the projectXavier Noria2016-08-061-1/+1
|
* remove redundant curlies from hash argumentsXavier Noria2016-08-061-2/+2
|
* applies new string literal convention in actionpack/testXavier Noria2016-08-061-42/+42
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* Remove duplicate test and fix a typo in the testPrathamesh Sonpatki2016-07-121-5/+0
| | | | | - Tests for dup'ing params was separately added in a separate file in https://github.com/rails/rails/pull/25735.
* `params.permitted?` is false by defaultJon Moss2016-06-231-0/+6
| | | | | In the docs: "+permit_all_parameters+ - If it's +true+, all the parameters will be permitted by default. The default is +false+."
* Filter scalar values when params permit hashes or arraysSean Griffin2016-04-151-0/+9
| | | | | | This brings the behavior more inline with other similar cases, such as receiving a hash when an array of scalars was expected. Prior to this commit, the key would be present, but the value would be `nil`
* fields_for_style needs to test for AC::ParametersAaron Patterson2016-02-171-0/+21
| | | | | | | | | | | | | While iterating an AC::Parameters object, the object will mutate itself and stick AC::Parameters objects where there used to be hashes: https://github.com/rails/rails/blob/f57092ad728fa1de06c4f5fd9d09dcc2c4738fd9/actionpack/lib/action_controller/metal/strong_parameters.rb#L632 If you use `permit` after this iteration, the `fields_for_style` method wouldn't return true because the child objects are now AC::Parameters objects rather than Hashes. fixes #23701
* test `include?`- fix typoAkshay Vishnoi2016-01-091-1/+1
|
* Merge pull request #22850 from prathamesh-sonpatki/fix_ac_params_unsafe_h_2Kasper Timm Hansen2015-12-311-0/+8
|\ | | | | Fix AC::Parameters#to_unsafe_h to return all unfiltered values
| * Fix AC::Parameters#to_unsafe_h to return all unfiltered valuesPrathamesh Sonpatki2015-12-311-0/+8
| | | | | | | | | | | | | | - AC::Parameters#convert_parameters_to_hashes should return filtered or unfiltered values based on whether it is called from `to_h` or `to_unsafe_h` instead of always defaulting to `to_h`. - Fixes #22841
* | Fix test for AC::Parameters#to_unsafe_hPrathamesh Sonpatki2015-12-301-2/+2
|/ | | | - Test should call `to_unsafe_h` instead of `to_h`
* Add AC::Parameters#include?Justin Coyne2015-12-291-0/+6
| | | | Fixes #22818
* Only dup Ruby's Hash and Array.Kasper Timm Hansen2015-12-171-0/+28
| | | | | | | | When calling `to_h` on an `ActionController::Parameters` instance it would `deep_dup` its internal parameters. This inadvertently called `dup` on a passed Active Record model which would create new models. Fix by only dupping Ruby's Arrays and Hashes.
* Make Parameters#to_h and #to_unsafe_h return HWIAPrem Sichanugrist2015-12-141-4/+4
| | | | | | | This makes these two methods to be more inline with the previous behavior of Parameters as Parameters used to be inherited from HWIA. Fixes #21391
* Fix state being carried over from previous transactionRoque Pinel2015-07-201-1/+1
| | | | | | | | | | | | | | | This clears the transaction record state when the transaction finishes with a `:committed` status. Considering the following example where `name` is a required attribute. Before we had `new_record?` returning `true` for a persisted record: ```ruby author = Author.create! name: 'foo' author.name = nil author.save # => false author.new_record? # => true ```
* Fix exception overwritten for parameters fetch methodRoque Pinel2015-07-181-0/+13
| | | | | | | | | When executing an `ActionController::Parameters#fetch` with a block that raises a `KeyError` the raised `KeyError` will be rescued and converted to an `ActionController::ParameterMissing` exception, covering up the original exception. [Jonas Schubert Erlandsson & Roque Pinel]
* Make AC::Parameters not inherited from HashPrem Sichanugrist2015-07-151-2/+0
| | | | | | | | This is another take at #14384 as we decided to wait until `master` is targeting Rails 5.0. This commit is implementation-complete, as it guarantees that all the public methods on the hash-inherited Parameters are still working (based on test case). We can decide to follow-up later if we want to remove some methods out from Parameters.
* Add AC::Parameters#to_unsafe_hPrem Sichanugrist2014-12-121-0/+6
| | | | | | | | | As suggested in #16299([1]), this method should be a new public API for retrieving unfiltered parameters from `ActionController::Parameters` object, given that `Parameters#to_hash` will no longer work in Rails 5.0+ as we stop inheriting `Parameters` from `Hash`. [1]: https://github.com/rails/rails/pull/16299#issuecomment-50220919
* Seperate Parameters accessors and mutators testsPrem Sichanugrist2014-08-181-57/+0
|
* Add missing `Hash` methods to `AC::Parameters`Prem Sichanugrist2014-08-181-0/+21
| | | | | | | | | | | | This is to make sure that `permitted` status is maintained on the resulting object. I found these methods that needs to be redefined by looking for `self.class.new` in the code. * extract! * transform_keys * transform_values
* Make `AC::Params#to_h` return Hash with safe keysPrem Sichanugrist2014-08-181-0/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted keys removed. This change is to reflect on a security concern where some method performed on an `ActionController::Parameters` may yield a `Hash` object which does not maintain `permitted?` status. If you would like to get a `Hash` with all the keys intact, duplicate and mark it as permitted before calling `#to_h`. params = ActionController::Parameters.new(name: 'Senjougahara Hitagi') params.to_h # => {} unsafe_params = params.dup.permit! unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"} safe_params = params.permit(:name) safe_params.to_h # => {"name"=>"Senjougahara Hitagi"} This change is consider a stopgap as we cannot chage the code to stop `ActionController::Parameters` to inherit from `HashWithIndifferentAccess` in the next minor release. Also, adding a CHANGELOG entry to mention that `ActionController::Parameters` will not inheriting from `HashWithIndifferentAccess` in the next major version.
* adds some details to the rationale of converted_arrays [ci skip]Xavier Noria2014-06-071-1/+1
|
* adds a regression test for the strong params converted arrays cacheXavier Noria2014-06-071-1/+18
| | | | This is a regression test for 29844dd.
* Revert "Convert StrongParameters cache to a hash. This fixes an unbounded"Xavier Noria2014-06-071-1/+1
| | | | | | | | | | | | | | | | | | | | We cannot cache keys because arrays are mutable. We rather want to cache the arrays. This behaviour is tailor-made for the usage pattern strongs params is designed for. In a forthcoming commit I am going to add a test that covers why we need to cache by value. Every strong params instance has a live span of a request, the cache goes away with the object. Since strong params have such a concrete intention, it would be interesting to see if there are actually any real-world use cases that are an actual leak, one that practically may matter. I am not convinced that the theoretical leak has any practical consequences, but if it can be shown there are, then I believe we should either get rid of the cache (which is an optimization), or else wipe it in the mutating API. This reverts commit e63be2769c039e4e9ada523a8497ce3206cc8a9b.
* Convert StrongParameters cache to a hash. This fixes an unboundedRyan Davis2014-06-031-1/+1
| | | | | | memory leak demonstrated on @tenderlove's latest blog post: http://tenderlovemaking.com/2014/06/02/yagni-methods-are-killing-me.html
* AC::Parameters#permit! permits hashes in array valuesXavier Noria2013-12-231-3/+11
|
* optimizes array conversion in AC::ParametersXavier Noria2013-12-211-0/+5
|
* converts hashes in arrays of unfiltered params to unpermitted params [fixes ↵Xavier Noria2013-12-211-0/+7
| | | | #13382]
* don't mutate hash with fetchDoug Cole2013-10-261-0/+6
|
* do not break params filtering on nil valuesVasiliy Ermolovich2013-09-071-0/+9
| | | | closes #12149
* Rack::Test::UploadedFile is a permitted scalarFabio Kreusch2013-02-211-1/+2
|
* ActionDispatch::Http::UploadedFile is a permitted scalar [Closes #9051]Xavier Noria2013-01-231-1/+2
|
* Lets kepp using Ruby 1.9 syntaxRafael Mendonça França2013-01-221-17/+17
|
* Add missing assert callsCarlos Antonio da Silva2013-01-201-2/+2
|
* strong parameters filters permitted scalarsXavier Noria2013-01-201-4/+121
|
* Test that permitted? is sticky on accessors, mutators, and mergesBenjamin Quorning2012-11-061-0/+24
|
* Test that not permitted is sticky on #exceptBenjamin Quorning2012-11-061-0/+1
|
* Current tests are testing stickiness of non-permitted parametersBenjamin Quorning2012-11-061-3/+3
|
* Fix buggy testsBenjamin Quorning2012-11-061-4/+4
|
* No need for the debuggerDavid Heinemeier Hansson2012-10-311-1/+0
|
* Allow #permit to take its list of permitted parameters as an arrayDavid Heinemeier Hansson2012-10-311-0/+5
|
* Cleanup trailing whitespacesdfens2012-10-121-1/+1
|
* ActionController::Parameters#permit! is recursiveBrendan Loudermilk2012-10-041-0/+7
|
* Add config.action_controller.permit_all_attributes to bypass ↵Guillermo Iguaran2012-09-161-0/+14
| | | | StrongParameters protection
* Change tainted/untainted wording to permitted/forbiddenGuillermo Iguaran2012-09-161-0/+59
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-13 17:57:11 +0000