require "abstract_unit" require "action_controller/metal/strong_parameters" class NestedParametersPermitTest < ActiveSupport::TestCase def assert_filtered_out(params, key) assert !params.has_key?(key), "key #{key.inspect} has not been filtered out" end test "permitted nested parameters" do params = ActionController::Parameters.new({ book: { title: "Romeo and Juliet", authors: [{ name: "William Shakespeare", born: "1564-04-26" }, { name: "Christopher Marlowe" }, { name: %w(malicious injected names) }], details: { pages: 200, genre: "Tragedy" }, id: { isbn: "x" } }, magazine: "Mjallo!" }) permitted = params.permit book: [ :title, { authors: [ :name ] }, { details: :pages }, :id ] assert permitted.permitted? assert_equal "Romeo and Juliet", permitted[:book][:title] assert_equal "William Shakespeare", permitted[:book][:authors][0][:name] assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name] assert_equal 200, permitted[:book][:details][:pages] assert_filtered_out permitted, :magazine assert_filtered_out permitted[:book], :id assert_filtered_out permitted[:book][:details], :genre assert_filtered_out permitted[:book][:authors][0], :born assert_filtered_out permitted[:book][:authors][2], :name end test "permitted nested parameters with a string or a symbol as a key" do params = ActionController::Parameters.new({ book: { "authors" => [ { name: "William Shakespeare", born: "1564-04-26" }, { name: "Christopher Marlowe" } ] } }) permitted = params.permit book: [ { "authors" => [ :name ] } ] assert_equal "William Shakespeare", permitted[:book]["authors"][0][:name] assert_equal "William Shakespeare", permitted[:book][:authors][0][:name] assert_equal "Christopher Marlowe", permitted[:book]["authors"][1][:name] assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name] permitted = params.permit book: [ { authors: [ :name ] } ] assert_equal "William Shakespeare", permitted[:book]["authors"][0][:name] assert_equal "William Shakespeare", permitted[:book][:authors][0][:name] assert_equal "Christopher Marlowe", permitted[:book]["authors"][1][:name] assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name] end test "nested arrays with strings" do params = ActionController::Parameters.new({ book: { genres: ["Tragedy"] } }) permitted = params.permit book: {genres: []} assert_equal ["Tragedy"], permitted[:book][:genres] end test "permit may specify symbols or strings" do params = ActionController::Parameters.new({ book: { title: "Romeo and Juliet", author: "William Shakespeare" }, magazine: "Shakespeare Today" }) permitted = params.permit({book: ["title", :author]}, "magazine") assert_equal "Romeo and Juliet", permitted[:book][:title] assert_equal "William Shakespeare", permitted[:book][:author] assert_equal "Shakespeare Today", permitted[:magazine] end test "nested array with strings that should be hashes" do params = ActionController::Parameters.new({ book: { genres: ["Tragedy"] } }) permitted = params.permit book: { genres: :type } assert_empty permitted[:book][:genres] end test "nested array with strings that should be hashes and additional values" do params = ActionController::Parameters.new({ book: { title: "Romeo and Juliet", genres: ["Tragedy"] } }) permitted = params.permit book: [ :title, { genres: :type } ] assert_equal "Romeo and Juliet", permitted[:book][:title] assert_empty permitted[:book][:genres] end test "nested string that should be a hash" do params = ActionController::Parameters.new({ book: { genre: "Tragedy" } }) permitted = params.permit book: { genre: :type } assert_nil permitted[:book][:genre] end test "fields_for-style nested params" do params = ActionController::Parameters.new({ book: { authors_attributes: { :'0' => { name: "William Shakespeare", age_of_death: "52" }, :'1' => { name: "Unattributed Assistant" }, :'2' => { name: %w(injected names) } } } }) permitted = params.permit book: { authors_attributes: [ :name ] } assert_not_nil permitted[:book][:authors_attributes]["0"] assert_not_nil permitted[:book][:authors_attributes]["1"] assert_empty permitted[:book][:authors_attributes]["2"] assert_equal "William Shakespeare", permitted[:book][:authors_attributes]["0"][:name] assert_equal "Unattributed Assistant", permitted[:book][:authors_attributes]["1"][:name] assert_filtered_out permitted[:book][:authors_attributes]["0"], :age_of_death end test "fields_for-style nested params with negative numbers" do params = ActionController::Parameters.new({ book: { authors_attributes: { :'-1' => { name: "William Shakespeare", age_of_death: "52" }, :'-2' => { name: "Unattributed Assistant" } } } }) permitted = params.permit book: { authors_attributes: [:name] } assert_not_nil permitted[:book][:authors_attributes]["-1"] assert_not_nil permitted[:book][:authors_attributes]["-2"] assert_equal "William Shakespeare", permitted[:book][:authors_attributes]["-1"][:name] assert_equal "Unattributed Assistant", permitted[:book][:authors_attributes]["-2"][:name] assert_filtered_out permitted[:book][:authors_attributes]["-1"], :age_of_death end test "nested number as key" do params = ActionController::Parameters.new({ product: { properties: { "0" => "prop0", "1" => "prop1" } } }) params = params.require(:product).permit(:properties => ["0"]) assert_not_nil params[:properties]["0"] assert_nil params[:properties]["1"] assert_equal "prop0", params[:properties]["0"] end end