| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
As suggested in #16299([1]), this method should be a new public API for
retrieving unfiltered parameters from `ActionController::Parameters`
object, given that `Parameters#to_hash` will no longer work in Rails
5.0+ as we stop inheriting `Parameters` from `Hash`.
[1]: https://github.com/rails/rails/pull/16299#issuecomment-50220919
|
|
|
|
|
|
|
| |
* `each`
* `each_pair`
* `delete`
* `select!`
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is to make sure that `permitted` status is maintained on the
resulting object.
I found these methods that needs to be redefined by looking for
`self.class.new` in the code.
* extract!
* transform_keys
* transform_values
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`ActionController::Parameters#to_h` now returns a `Hash` with
unpermitted keys removed. This change is to reflect on a security
concern where some method performed on an `ActionController::Parameters`
may yield a `Hash` object which does not maintain `permitted?` status.
If you would like to get a `Hash` with all the keys intact, duplicate
and mark it as permitted before calling `#to_h`.
params = ActionController::Parameters.new(name: 'Senjougahara Hitagi')
params.to_h # => {}
unsafe_params = params.dup.permit!
unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
safe_params = params.permit(:name)
safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
This change is consider a stopgap as we cannot chage the code to stop
`ActionController::Parameters` to inherit from
`HashWithIndifferentAccess` in the next minor release.
Also, adding a CHANGELOG entry to mention that
`ActionController::Parameters` will not inheriting from
`HashWithIndifferentAccess` in the next major version.
|
|\
| |
| |
| |
| |
| | |
Add always permitted parameters as a configurable option.
[Rafael Mendonça França + Gary S. Weaver]
|
| |
| |
| |
| |
| |
| | |
* General style fixes.
* Add changes to configuration guide.
* Add missing tests.
|
| | |
|
| |
| |
| |
| | |
This is a regression test for 29844dd.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We cannot cache keys because arrays are mutable. We rather want to cache
the arrays. This behaviour is tailor-made for the usage pattern strongs
params is designed for.
In a forthcoming commit I am going to add a test that covers why we need
to cache by value.
Every strong params instance has a live span of a request, the cache goes
away with the object. Since strong params have such a concrete intention,
it would be interesting to see if there are actually any real-world use
cases that are an actual leak, one that practically may matter.
I am not convinced that the theoretical leak has any practical consequences,
but if it can be shown there are, then I believe we should either get rid of
the cache (which is an optimization), or else wipe it in the mutating API.
This reverts commit e63be2769c039e4e9ada523a8497ce3206cc8a9b.
|
| |
| |
| |
| |
| |
| | |
memory leak demonstrated on @tenderlove's latest blog post:
http://tenderlovemaking.com/2014/06/02/yagni-methods-are-killing-me.html
|
| |
| |
| |
| | |
when only 1 parameter is unpermitted.
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
#13382]
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
sebasoga/change_strong_parameters_require_behaviour"
This reverts commit c2b5a8e61ba0f35015e6ac949a5c8fce2042a1f2, reversing
changes made to 1918b12c0429caec2a6134ac5e5b42ade103fe90.
See: https://github.com/rails/rails/pull/9660#issuecomment-27627493
|
|\ \
| | |
| | |
| | |
| | | |
sebasoga/change_strong_parameters_require_behaviour
Change ActionController::Parameters#require behavior when value is empty
|
| | |
| | |
| | |
| | |
| | | |
When the value for the required key is empty an ActionController::ParameterMissing is raised which gets caught by ActionController::Base and turned into a 400 Bad Request reply with a message in the body saying the key is missing, which is misleading.
With these changes, ActionController::EmptyParameter will be raised which ActionController::Base will catch and turn into a 400 Bad Request reply with a message in the body saying the key value is empty.
|
| |/
|/| |
|
| | |
|
|/
|
|
| |
closes #12149
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
https://github.com/rails/rails/commit/cc1c3c5be061e7572018f734e5239750ab449e3f
Now instead of raise, we log by default in development and test
|
| |
|
|
|
|
| |
the discussion on https://github.com/rails/strong_parameters/pull/75.
|
| |
|
| |
|
|
|
|
| |
Also changed the exception to UnpermittedParameters
|
|
|
|
| |
provided.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
all the hash
params.require(:person).permit(:projects_attributes) was returning
=> {"projects_attributes"=>{"0"=>{"name"=>"Project 1"}}}
When should return
=> {}
You should be doing ...
params.require(:person).permit(projects_attributes: :name)
to get just the projects attributes you want to allow
|
|
|
|
|
|
|
| |
This will make easier to permit date/time attributes generated by
helpers like date_select.
[Sven Schwyn + Rafael Mendonça França]
|
| |
|
|
|
| |
* The params as supplied pass born in authors[0] but not authors[1] so it seems like the test isn't covering what it should be covering.
|
| |
|
|
|
|
| |
StrongParameters protection
|
| |
|