From 1aaf4490b29afc99cf19b18c4edbb1f28e6c37f5 Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Thu, 30 Aug 2012 16:36:59 -0500
Subject: Add config.action_controller.permit_all_attributes to bypass
 StrongParameters protection

---
 railties/test/application/configuration_test.rb | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

(limited to 'railties')

diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb
index cac9fa3525..ed51949b1e 100644
--- a/railties/test/application/configuration_test.rb
+++ b/railties/test/application/configuration_test.rb
@@ -560,6 +560,28 @@ module ApplicationTests
       assert_equal '{"title"=>"foo"}', last_response.body
     end
 
+    test "config.action_controller.permit_all_parameters = true" do
+      app_file 'app/controllers/posts_controller.rb', <<-RUBY
+      class PostsController < ActionController::Base
+        def create
+          render :text => params[:post].permitted? ? "permitted" : "forbidden"
+        end
+      end
+      RUBY
+
+      add_to_config <<-RUBY
+        routes.prepend do
+          resources :posts
+        end
+        config.action_controller.permit_all_parameters = true
+      RUBY
+
+      require "#{app_path}/config/environment"
+
+      post "/posts", {:post => {"title" =>"zomg"}}
+      assert_equal 'permitted', last_response.body
+    end
+
     test "config.action_dispatch.ignore_accept_header" do
       make_basic_app do |app|
         app.config.action_dispatch.ignore_accept_header = true
-- 
cgit v1.2.3