From 66d705b3e7c03f806f7481e0e6a1f157dcf86f83 Mon Sep 17 00:00:00 2001 From: schneems Date: Tue, 19 Jan 2016 11:45:34 -0600 Subject: [close #23084] Deprecated StrongParameters We can provide a more flexible upgrade experience by warning users they are using unsafe methods instead of forcing the safe API by deprecating before removal. This PR provides this functionality. --- .../lib/action_controller/metal/strong_parameters.rb | 16 ++++++++++++++++ actionpack/test/controller/required_params_test.rb | 6 ++++++ 2 files changed, 22 insertions(+) (limited to 'actionpack') diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb index 5cbf4157a4..043f69b7bc 100644 --- a/actionpack/lib/action_controller/metal/strong_parameters.rb +++ b/actionpack/lib/action_controller/metal/strong_parameters.rb @@ -580,6 +580,22 @@ module ActionController dup end + def method_missing(method_sym, *args, &block) + if @parameters.respond_to?(method_sym) + message = <<-DEPRECATE.squish + Method #{ method_sym } is deprecated and will be removed in Rails 5.1, as `ActionController::Parameters` no longer inherit from + hash. Using this deprecated behavior exposes potential security problems. if you continue to use this method + you may be creating a security vulunerability in your app that can be exploited. Instead, consider using one + of these public methods that will not be deprecated: + #{ public_methods.inspect } + DEPRECATE + ActiveSupport::Deprecation.warn(message) + @parameters.public_send(method_sym, *args, &block) + else + super + end + end + protected def permitted=(new_permitted) @permitted = new_permitted diff --git a/actionpack/test/controller/required_params_test.rb b/actionpack/test/controller/required_params_test.rb index 168f64ce41..129a713564 100644 --- a/actionpack/test/controller/required_params_test.rb +++ b/actionpack/test/controller/required_params_test.rb @@ -65,4 +65,10 @@ class ParametersRequireTest < ActiveSupport::TestCase .require([:first_name, :title]) end end + + test "Deprecated method are deprecated" do + assert_deprecated do + ActionController::Parameters.new(foo: "bar").merge!({bar: "foo"}) + end + end end -- cgit v1.2.3 From 3f2ac413b7c455ca951944da510683f52cb964da Mon Sep 17 00:00:00 2001 From: schneems Date: Tue, 19 Jan 2016 11:53:27 -0600 Subject: Add methods to StrongParameters It's reasonable to expose different value readers. --- actionpack/lib/action_controller/metal/strong_parameters.rb | 2 +- actionpack/test/controller/required_params_test.rb | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) (limited to 'actionpack') diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb index 043f69b7bc..70b34c2756 100644 --- a/actionpack/lib/action_controller/metal/strong_parameters.rb +++ b/actionpack/lib/action_controller/metal/strong_parameters.rb @@ -109,7 +109,7 @@ module ActionController cattr_accessor :permit_all_parameters, instance_accessor: false cattr_accessor :action_on_unpermitted_parameters, instance_accessor: false - delegate :keys, :key?, :has_key?, :empty?, :include?, :inspect, + delegate :keys, :key?, :has_key?, :values, :has_value?, :value?, :empty?, :include?, :inspect, :as_json, to: :@parameters # By default, never raise an UnpermittedParameters exception if these diff --git a/actionpack/test/controller/required_params_test.rb b/actionpack/test/controller/required_params_test.rb index 129a713564..b6efcd6f9a 100644 --- a/actionpack/test/controller/required_params_test.rb +++ b/actionpack/test/controller/required_params_test.rb @@ -66,7 +66,14 @@ class ParametersRequireTest < ActiveSupport::TestCase end end - test "Deprecated method are deprecated" do + test "value params" do + params = ActionController::Parameters.new(foo: "bar", dog: "cinco") + assert_equal ["bar", "cinco"], params.values + assert params.has_value?("cinco") + assert params.value?("cinco") + end + + test "Deprecated methods are deprecated" do assert_deprecated do ActionController::Parameters.new(foo: "bar").merge!({bar: "foo"}) end -- cgit v1.2.3 From 875a0b6e4f2a5f0b45a38632b4367aa83d995ac3 Mon Sep 17 00:00:00 2001 From: schneems Date: Tue, 19 Jan 2016 12:09:58 -0600 Subject: Link to docs instead of listing methods --- actionpack/lib/action_controller/metal/strong_parameters.rb | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'actionpack') diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb index 70b34c2756..e9aa0aae37 100644 --- a/actionpack/lib/action_controller/metal/strong_parameters.rb +++ b/actionpack/lib/action_controller/metal/strong_parameters.rb @@ -583,11 +583,13 @@ module ActionController def method_missing(method_sym, *args, &block) if @parameters.respond_to?(method_sym) message = <<-DEPRECATE.squish - Method #{ method_sym } is deprecated and will be removed in Rails 5.1, as `ActionController::Parameters` no longer inherit from - hash. Using this deprecated behavior exposes potential security problems. if you continue to use this method - you may be creating a security vulunerability in your app that can be exploited. Instead, consider using one - of these public methods that will not be deprecated: - #{ public_methods.inspect } + Method #{ method_sym } is deprecated and will be removed in Rails 5.1, + as `ActionController::Parameters` no longer inherits from + hash. Using this deprecated behavior exposes potential security + problems. If you continue to use this method you may be creating + a security vulunerability in your app that can be exploited. Instead, + consider using one of these documented methods which are not + deprecated: http://api.rubyonrails.org/v#{ActionPack.version}/classes/ActionController/Parameters.html DEPRECATE ActiveSupport::Deprecation.warn(message) @parameters.public_send(method_sym, *args, &block) -- cgit v1.2.3