From cbec22ce5783c9530b3e2735a8e13eeeca00e0d2 Mon Sep 17 00:00:00 2001
From: Xavier Noria <fxn@hashref.com>
Date: Sun, 20 Jan 2013 17:59:53 +0100
Subject: strong parameters filters permitted scalars

---
 .../parameters/nested_parameters_test.rb           | 56 +++++++++++++++++-----
 1 file changed, 43 insertions(+), 13 deletions(-)

(limited to 'actionpack/test/controller/parameters/nested_parameters_test.rb')

diff --git a/actionpack/test/controller/parameters/nested_parameters_test.rb b/actionpack/test/controller/parameters/nested_parameters_test.rb
index 6df849c4e2..8aec159499 100644
--- a/actionpack/test/controller/parameters/nested_parameters_test.rb
+++ b/actionpack/test/controller/parameters/nested_parameters_test.rb
@@ -2,6 +2,10 @@ require 'abstract_unit'
 require 'action_controller/metal/strong_parameters'
 
 class NestedParametersTest < ActiveSupport::TestCase
+  def assert_filtered_out(params, key)
+    assert !params.has_key?(key), "key #{key.inspect} has not been filtered out"
+  end
+
   test "permitted nested parameters" do
     params = ActionController::Parameters.new({
       book: {
@@ -11,6 +15,8 @@ class NestedParametersTest < ActiveSupport::TestCase
           born: "1564-04-26"
         }, {
           name: "Christopher Marlowe"
+        }, {
+          :name => %w(malicious injected names)
         }],
         details: {
           pages: 200,
@@ -30,10 +36,12 @@ class NestedParametersTest < ActiveSupport::TestCase
     assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
     assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
     assert_equal 200, permitted[:book][:details][:pages]
-    assert_nil permitted[:book][:id]
-    assert_nil permitted[:book][:details][:genre]
-    assert_nil permitted[:book][:authors][0][:born]
-    assert_nil permitted[:magazine]
+
+    assert_filtered_out permitted, :magazine
+    assert_filtered_out permitted[:book], :id
+    assert_filtered_out permitted[:book][:details], :genre
+    assert_filtered_out permitted[:book][:authors][0], :born
+    assert_filtered_out permitted[:book][:authors][2], :name
   end
 
   test "permitted nested parameters with a string or a symbol as a key" do
@@ -68,7 +76,7 @@ class NestedParametersTest < ActiveSupport::TestCase
       }
     })
 
-    permitted = params.permit :book => :genres
+    permitted = params.permit :book => {:genres => []}
     assert_equal ["Tragedy"], permitted[:book][:genres]
   end
 
@@ -124,19 +132,41 @@ class NestedParametersTest < ActiveSupport::TestCase
 
   test "fields_for-style nested params" do
     params = ActionController::Parameters.new({
-      book: {
-        authors_attributes: {
-          :'0' => { name: 'William Shakespeare', age_of_death: '52' },
-          :'-1' => { name: 'Unattributed Assistant' }
+      :book => {
+        :authors_attributes => {
+          :'0' => { :name => 'William Shakespeare', :age_of_death => '52' },
+          :'1' => { :name => 'Unattributed Assistant' },
+          :'2' => { :name => %w(injected names)}
         }
       }
     })
-    permitted = params.permit book: { authors_attributes: [ :name ] }
+    permitted = params.permit :book => { :authors_attributes => [ :name ] }
 
     assert_not_nil permitted[:book][:authors_attributes]['0']
-    assert_not_nil permitted[:book][:authors_attributes]['-1']
-    assert_nil permitted[:book][:authors_attributes]['0'][:age_of_death]
+    assert_not_nil permitted[:book][:authors_attributes]['1']
+    assert_empty permitted[:book][:authors_attributes]['2']
     assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][:name]
-    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-1'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][:name]
+
+    assert_filtered_out permitted[:book][:authors_attributes]['0'], :age_of_death
+  end
+
+  test "fields_for-style nested params with negative numbers" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :authors_attributes => {
+          :'-1' => { :name => 'William Shakespeare', :age_of_death => '52' },
+          :'-2' => { :name => 'Unattributed Assistant' }
+        }
+      }
+    })
+    permitted = params.permit :book => { :authors_attributes => [:name] }
+
+    assert_not_nil permitted[:book][:authors_attributes]['-1']
+    assert_not_nil permitted[:book][:authors_attributes]['-2']
+    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name]
+
+    assert_filtered_out permitted[:book][:authors_attributes]['-1'], :age_of_death
   end
 end
-- 
cgit v1.2.3