backported_strong_parameters 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- data/MIT-LICENSE +20 -0
- data/README.rdoc +53 -0
- data/Rakefile +38 -0
- data/lib/action_controller/parameters.rb +143 -0
- data/lib/active_model/forbidden_attributes_protection.rb +16 -0
- data/lib/generators/rails/USAGE +12 -0
- data/lib/generators/rails/strong_parameters_controller_generator.rb +10 -0
- data/lib/generators/rails/templates/controller.rb +94 -0
- data/lib/strong_parameters.rb +3 -0
- data/lib/strong_parameters/railtie.rb +11 -0
- data/lib/strong_parameters/version.rb +3 -0
- data/test/action_controller_required_params_test.rb +30 -0
- data/test/action_controller_tainted_params_test.rb +25 -0
- data/test/active_model_mass_assignment_taint_protection_test.rb +30 -0
- data/test/controller_generator_test.rb +31 -0
- data/test/multi_parameter_attributes_test.rb +34 -0
- data/test/nested_parameters_test.rb +131 -0
- data/test/parameters_require_test.rb +10 -0
- data/test/parameters_taint_test.rb +68 -0
- data/test/test_helper.rb +27 -0
- metadata +159 -0
data/MIT-LICENSE
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
Copyright 2012 David Heinemeier Hansson
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
+
a copy of this software and associated documentation files (the
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
9
|
+
the following conditions:
|
10
|
+
|
11
|
+
The above copyright notice and this permission notice shall be
|
12
|
+
included in all copies or substantial portions of the Software.
|
13
|
+
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.rdoc
ADDED
@@ -0,0 +1,53 @@
|
|
1
|
+
= Strong Parameters
|
2
|
+
|
3
|
+
With this plugin Action Controller parameters are forbidden to be used in Active Model mass assignments until they have been whitelisted. This means you'll have to make a conscious choice about which attributes to allow for mass updating and thus prevent accidentally exposing that which shouldn't be exposed.
|
4
|
+
|
5
|
+
In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request with no effort.
|
6
|
+
|
7
|
+
class PeopleController < ActionController::Base
|
8
|
+
# This will raise an ActiveModel::ForbiddenAttributes exception because it's using mass assignment
|
9
|
+
# without an explicit permit step.
|
10
|
+
def create
|
11
|
+
Person.create(params[:person])
|
12
|
+
end
|
13
|
+
|
14
|
+
# This will pass with flying colors as long as there's a person key in the parameters, otherwise
|
15
|
+
# it'll raise a ActionController::MissingParameter exception, which will get caught by
|
16
|
+
# ActionController::Base and turned into that 400 Bad Request reply.
|
17
|
+
def update
|
18
|
+
redirect_to current_account.people.find(params[:id]).tap { |person|
|
19
|
+
person.update_attributes!(person_params)
|
20
|
+
}
|
21
|
+
end
|
22
|
+
|
23
|
+
private
|
24
|
+
# Using a private method to encapsulate the permissible parameters is just a good pattern
|
25
|
+
# since you'll be able to reuse the same permit list between create and update. Also, you
|
26
|
+
# can specialize this method with per-user checking of permissible attributes.
|
27
|
+
def person_params
|
28
|
+
params.require(:person).permit(:name, :age)
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
You can also use permit on nested parameters, like:
|
33
|
+
|
34
|
+
params.permit(:name, friends: [ :name, { family: [ :name ] }])
|
35
|
+
|
36
|
+
Thanks to Nick Kallen for the permit idea!
|
37
|
+
|
38
|
+
== Installation
|
39
|
+
|
40
|
+
In Gemfile:
|
41
|
+
|
42
|
+
gem 'strong_parameters'
|
43
|
+
|
44
|
+
and then run `bundle`. To activate the strong parameters, you need to include this module in
|
45
|
+
every model you want protected.
|
46
|
+
|
47
|
+
class Post < ActiveRecord::Base
|
48
|
+
include ActiveModel::ForbiddenAttributesProtection
|
49
|
+
end
|
50
|
+
|
51
|
+
== Compatibility
|
52
|
+
|
53
|
+
Due to a testing issue, this plugin is only fully compatible with Rails versions 3.1, 3.2 but not 4.0 and beyond, as it is part of Rails Core in 4.0.
|
data/Rakefile
ADDED
@@ -0,0 +1,38 @@
|
|
1
|
+
#!/usr/bin/env rake
|
2
|
+
begin
|
3
|
+
require 'bundler/setup'
|
4
|
+
rescue LoadError
|
5
|
+
puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
|
6
|
+
end
|
7
|
+
begin
|
8
|
+
require 'rdoc/task'
|
9
|
+
rescue LoadError
|
10
|
+
require 'rdoc/rdoc'
|
11
|
+
require 'rake/rdoctask'
|
12
|
+
RDoc::Task = Rake::RDocTask
|
13
|
+
end
|
14
|
+
|
15
|
+
RDoc::Task.new(:rdoc) do |rdoc|
|
16
|
+
rdoc.rdoc_dir = 'rdoc'
|
17
|
+
rdoc.title = 'StrongParameters'
|
18
|
+
rdoc.options << '--line-numbers'
|
19
|
+
rdoc.rdoc_files.include('README.rdoc')
|
20
|
+
rdoc.rdoc_files.include('lib/**/*.rb')
|
21
|
+
end
|
22
|
+
|
23
|
+
|
24
|
+
|
25
|
+
|
26
|
+
Bundler::GemHelper.install_tasks
|
27
|
+
|
28
|
+
require 'rake/testtask'
|
29
|
+
|
30
|
+
Rake::TestTask.new(:test) do |t|
|
31
|
+
t.libs << 'lib'
|
32
|
+
t.libs << 'test'
|
33
|
+
t.pattern = 'test/**/*_test.rb'
|
34
|
+
t.verbose = false
|
35
|
+
end
|
36
|
+
|
37
|
+
|
38
|
+
task :default => :test
|
@@ -0,0 +1,143 @@
|
|
1
|
+
require 'active_support/concern'
|
2
|
+
require 'active_support/core_ext/hash/indifferent_access'
|
3
|
+
require 'action_controller'
|
4
|
+
|
5
|
+
module ActionController
|
6
|
+
class ParameterMissing < IndexError
|
7
|
+
attr_reader :param
|
8
|
+
|
9
|
+
def initialize(param)
|
10
|
+
@param = param
|
11
|
+
super("key not found: #{param}")
|
12
|
+
end
|
13
|
+
end
|
14
|
+
|
15
|
+
class Parameters < ActiveSupport::HashWithIndifferentAccess
|
16
|
+
attr_accessor :permitted
|
17
|
+
alias :permitted? :permitted
|
18
|
+
|
19
|
+
def initialize(attributes = nil)
|
20
|
+
super(attributes)
|
21
|
+
@permitted = false
|
22
|
+
end
|
23
|
+
|
24
|
+
def permit!
|
25
|
+
each_pair do |key, value|
|
26
|
+
convert_hashes_to_parameters(key, value)
|
27
|
+
self[key].permit! if self[key].respond_to? :permit!
|
28
|
+
end
|
29
|
+
|
30
|
+
@permitted = true
|
31
|
+
self
|
32
|
+
end
|
33
|
+
|
34
|
+
def require(key)
|
35
|
+
self[key].presence || raise(ActionController::ParameterMissing.new(key))
|
36
|
+
end
|
37
|
+
|
38
|
+
alias :required :require
|
39
|
+
|
40
|
+
def permit(*filters)
|
41
|
+
params = self.class.new
|
42
|
+
|
43
|
+
filters.each do |filter|
|
44
|
+
case filter
|
45
|
+
when Symbol, String then
|
46
|
+
params[filter] = self[filter] if has_key?(filter)
|
47
|
+
keys.grep(/\A#{Regexp.escape(filter)}\(\di\)\z/).each { |key| params[key] = self[key] }
|
48
|
+
when Hash then
|
49
|
+
self.slice(*filter.keys).each do |key, value|
|
50
|
+
return unless value
|
51
|
+
|
52
|
+
key = key.to_sym
|
53
|
+
|
54
|
+
params[key] = each_element(value) do |value|
|
55
|
+
# filters are a Hash, so we expect value to be a Hash too
|
56
|
+
next if filter.is_a?(Hash) && !value.is_a?(Hash)
|
57
|
+
|
58
|
+
value = self.class.new(value) if !value.respond_to?(:permit)
|
59
|
+
|
60
|
+
value.permit(*Array.wrap(filter[key]))
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
65
|
+
|
66
|
+
params.permit!
|
67
|
+
end
|
68
|
+
|
69
|
+
def [](key)
|
70
|
+
convert_hashes_to_parameters(key, super)
|
71
|
+
end
|
72
|
+
|
73
|
+
def fetch(key, *args)
|
74
|
+
convert_hashes_to_parameters(key, super)
|
75
|
+
rescue KeyError
|
76
|
+
raise ActionController::ParameterMissing.new(key)
|
77
|
+
end
|
78
|
+
|
79
|
+
def slice(*keys)
|
80
|
+
self.class.new(super)
|
81
|
+
end
|
82
|
+
|
83
|
+
def dup
|
84
|
+
super.tap do |duplicate|
|
85
|
+
duplicate.instance_variable_set :@permitted, @permitted
|
86
|
+
end
|
87
|
+
end
|
88
|
+
|
89
|
+
protected
|
90
|
+
def convert_value(value)
|
91
|
+
if value.class == Hash
|
92
|
+
self.class.new_from_hash_copying_default(value)
|
93
|
+
elsif value.is_a?(Array)
|
94
|
+
value.dup.replace(value.map { |e| convert_value(e) })
|
95
|
+
else
|
96
|
+
value
|
97
|
+
end
|
98
|
+
end
|
99
|
+
|
100
|
+
private
|
101
|
+
def convert_hashes_to_parameters(key, value)
|
102
|
+
if value.is_a?(Parameters) || !value.is_a?(Hash)
|
103
|
+
value
|
104
|
+
else
|
105
|
+
# Convert to Parameters on first access
|
106
|
+
self[key] = self.class.new(value)
|
107
|
+
end
|
108
|
+
end
|
109
|
+
|
110
|
+
def each_element(object)
|
111
|
+
if object.is_a?(Array)
|
112
|
+
object.map { |el| yield el }.compact
|
113
|
+
# fields_for on an array of records uses numeric hash keys
|
114
|
+
elsif object.is_a?(Hash) && object.keys.all? { |k| k =~ /\A-?\d+\z/ }
|
115
|
+
hash = object.class.new
|
116
|
+
object.each { |k,v| hash[k] = yield v }
|
117
|
+
hash
|
118
|
+
else
|
119
|
+
yield object
|
120
|
+
end
|
121
|
+
end
|
122
|
+
end
|
123
|
+
|
124
|
+
module StrongParameters
|
125
|
+
extend ActiveSupport::Concern
|
126
|
+
|
127
|
+
included do
|
128
|
+
rescue_from(ActionController::ParameterMissing) do |parameter_missing_exception|
|
129
|
+
render :text => "Required parameter missing: #{parameter_missing_exception.param}", :status => :bad_request
|
130
|
+
end
|
131
|
+
end
|
132
|
+
|
133
|
+
def params
|
134
|
+
@_params ||= Parameters.new(request.parameters)
|
135
|
+
end
|
136
|
+
|
137
|
+
def params=(val)
|
138
|
+
@_params = val.is_a?(Hash) ? Parameters.new(val) : val
|
139
|
+
end
|
140
|
+
end
|
141
|
+
end
|
142
|
+
|
143
|
+
ActionController::Base.send :include, ActionController::StrongParameters
|
@@ -0,0 +1,16 @@
|
|
1
|
+
module ActiveModel
|
2
|
+
class ForbiddenAttributes < StandardError
|
3
|
+
end
|
4
|
+
|
5
|
+
module ForbiddenAttributesProtection
|
6
|
+
def sanitize_for_mass_assignment(new_attributes, options = {})
|
7
|
+
if !new_attributes.respond_to?(:permitted?) || new_attributes.permitted?
|
8
|
+
super
|
9
|
+
else
|
10
|
+
raise ActiveModel::ForbiddenAttributes
|
11
|
+
end
|
12
|
+
end
|
13
|
+
end
|
14
|
+
end
|
15
|
+
|
16
|
+
ActiveModel.autoload :ForbiddenAttributesProtection
|
@@ -0,0 +1,12 @@
|
|
1
|
+
Description:
|
2
|
+
Stubs out a scaffolded controller and its views. Different from rails
|
3
|
+
scaffold_controller, it uses strong_parameters to whitelist permissible
|
4
|
+
attributes in a private method.
|
5
|
+
Pass the model name, either CamelCased or under_scored. The controller
|
6
|
+
name is retrieved as a pluralized version of the model name.
|
7
|
+
|
8
|
+
To create a controller within a module, specify the model name as a
|
9
|
+
path like 'parent_module/controller_name'.
|
10
|
+
|
11
|
+
This generates a controller class in app/controllers and invokes helper,
|
12
|
+
template engine and test framework generators.
|
@@ -0,0 +1,10 @@
|
|
1
|
+
require 'rails/generators/rails/scaffold_controller/scaffold_controller_generator'
|
2
|
+
|
3
|
+
module Rails
|
4
|
+
module Generators
|
5
|
+
class StrongParametersControllerGenerator < ScaffoldControllerGenerator
|
6
|
+
argument :attributes, :type => :array, :default => [], :banner => "field:type field:type"
|
7
|
+
source_root File.expand_path("../templates", __FILE__)
|
8
|
+
end
|
9
|
+
end
|
10
|
+
end
|
@@ -0,0 +1,94 @@
|
|
1
|
+
<% module_namespacing do -%>
|
2
|
+
class <%= controller_class_name %>Controller < ApplicationController
|
3
|
+
# GET <%= route_url %>
|
4
|
+
# GET <%= route_url %>.json
|
5
|
+
def index
|
6
|
+
@<%= plural_table_name %> = <%= orm_class.all(class_name) %>
|
7
|
+
|
8
|
+
respond_to do |format|
|
9
|
+
format.html # index.html.erb
|
10
|
+
format.json { render json: <%= "@#{plural_table_name}" %> }
|
11
|
+
end
|
12
|
+
end
|
13
|
+
|
14
|
+
# GET <%= route_url %>/1
|
15
|
+
# GET <%= route_url %>/1.json
|
16
|
+
def show
|
17
|
+
@<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
|
18
|
+
|
19
|
+
respond_to do |format|
|
20
|
+
format.html # show.html.erb
|
21
|
+
format.json { render json: <%= "@#{singular_table_name}" %> }
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
# GET <%= route_url %>/new
|
26
|
+
# GET <%= route_url %>/new.json
|
27
|
+
def new
|
28
|
+
@<%= singular_table_name %> = <%= orm_class.build(class_name) %>
|
29
|
+
|
30
|
+
respond_to do |format|
|
31
|
+
format.html # new.html.erb
|
32
|
+
format.json { render json: <%= "@#{singular_table_name}" %> }
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
# GET <%= route_url %>/1/edit
|
37
|
+
def edit
|
38
|
+
@<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
|
39
|
+
end
|
40
|
+
|
41
|
+
# POST <%= route_url %>
|
42
|
+
# POST <%= route_url %>.json
|
43
|
+
def create
|
44
|
+
@<%= singular_table_name %> = <%= orm_class.build(class_name, "#{singular_table_name}_params") %>
|
45
|
+
|
46
|
+
respond_to do |format|
|
47
|
+
if @<%= orm_instance.save %>
|
48
|
+
format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully created.'" %> }
|
49
|
+
format.json { render json: <%= "@#{singular_table_name}" %>, status: :created, location: <%= "@#{singular_table_name}" %> }
|
50
|
+
else
|
51
|
+
format.html { render action: "new" }
|
52
|
+
format.json { render json: <%= "@#{orm_instance.errors}" %>, status: :unprocessable_entity }
|
53
|
+
end
|
54
|
+
end
|
55
|
+
end
|
56
|
+
|
57
|
+
# PATCH/PUT <%= route_url %>/1
|
58
|
+
# PATCH/PUT <%= route_url %>/1.json
|
59
|
+
def update
|
60
|
+
@<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
|
61
|
+
|
62
|
+
respond_to do |format|
|
63
|
+
if @<%= orm_instance.update_attributes("#{singular_table_name}_params") %>
|
64
|
+
format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully updated.'" %> }
|
65
|
+
format.json { head :no_content }
|
66
|
+
else
|
67
|
+
format.html { render action: "edit" }
|
68
|
+
format.json { render json: <%= "@#{orm_instance.errors}" %>, status: :unprocessable_entity }
|
69
|
+
end
|
70
|
+
end
|
71
|
+
end
|
72
|
+
|
73
|
+
# DELETE <%= route_url %>/1
|
74
|
+
# DELETE <%= route_url %>/1.json
|
75
|
+
def destroy
|
76
|
+
@<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
|
77
|
+
@<%= orm_instance.destroy %>
|
78
|
+
|
79
|
+
respond_to do |format|
|
80
|
+
format.html { redirect_to <%= index_helper %>_url }
|
81
|
+
format.json { head :no_content }
|
82
|
+
end
|
83
|
+
end
|
84
|
+
|
85
|
+
private
|
86
|
+
|
87
|
+
# Use this method to whitelist the permissible parameters. Example:
|
88
|
+
# params.require(:person).permit(:name, :age)
|
89
|
+
# Also, you can specialize this method with per-user checking of permissible attributes.
|
90
|
+
def <%= "#{singular_table_name}_params" %>
|
91
|
+
params.require(<%= ":#{singular_table_name}" %>).permit(<%= attributes.map {|a| ":#{a.name}" }.sort.join(', ') %>)
|
92
|
+
end
|
93
|
+
end
|
94
|
+
<% end -%>
|
@@ -0,0 +1,11 @@
|
|
1
|
+
require 'rails/railtie'
|
2
|
+
|
3
|
+
module StrongParameters
|
4
|
+
class Railtie < ::Rails::Railtie
|
5
|
+
if config.respond_to?(:app_generators)
|
6
|
+
config.app_generators.scaffold_controller = :strong_parameters_controller
|
7
|
+
else
|
8
|
+
config.generators.scaffold_controller = :strong_parameters_controller
|
9
|
+
end
|
10
|
+
end
|
11
|
+
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
|
3
|
+
class BooksController < ActionController::Base
|
4
|
+
def create
|
5
|
+
params.require(:book).require(:name)
|
6
|
+
head :ok
|
7
|
+
end
|
8
|
+
end
|
9
|
+
|
10
|
+
class ActionControllerRequiredParamsTest < ActionController::TestCase
|
11
|
+
tests BooksController
|
12
|
+
|
13
|
+
test "missing required parameters will raise exception" do
|
14
|
+
post :create, { magazine: { name: "Mjallo!" } }
|
15
|
+
assert_response :bad_request
|
16
|
+
|
17
|
+
post :create, { book: { title: "Mjallo!" } }
|
18
|
+
assert_response :bad_request
|
19
|
+
end
|
20
|
+
|
21
|
+
test "required parameters that are present will not raise" do
|
22
|
+
post :create, { book: { name: "Mjallo!" } }
|
23
|
+
assert_response :ok
|
24
|
+
end
|
25
|
+
|
26
|
+
test "missing parameters will be mentioned in the return" do
|
27
|
+
post :create, { magazine: { name: "Mjallo!" } }
|
28
|
+
assert_equal "Required parameter missing: book", response.body
|
29
|
+
end
|
30
|
+
end
|
@@ -0,0 +1,25 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
|
3
|
+
class PeopleController < ActionController::Base
|
4
|
+
def create
|
5
|
+
render text: params[:person].permitted? ? "untainted" : "tainted"
|
6
|
+
end
|
7
|
+
|
8
|
+
def create_with_permit
|
9
|
+
render text: params[:person].permit(:name).permitted? ? "untainted" : "tainted"
|
10
|
+
end
|
11
|
+
end
|
12
|
+
|
13
|
+
class ActionControllerTaintedParamsTest < ActionController::TestCase
|
14
|
+
tests PeopleController
|
15
|
+
|
16
|
+
test "parameters are tainted" do
|
17
|
+
post :create, { person: { name: "Mjallo!" } }
|
18
|
+
assert_equal "tainted", response.body
|
19
|
+
end
|
20
|
+
|
21
|
+
test "parameters can be permitted and are then not tainted" do
|
22
|
+
post :create_with_permit, { person: { name: "Mjallo!" } }
|
23
|
+
assert_equal "untainted", response.body
|
24
|
+
end
|
25
|
+
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
|
3
|
+
class Person
|
4
|
+
include ActiveModel::MassAssignmentSecurity
|
5
|
+
include ActiveModel::ForbiddenAttributesProtection
|
6
|
+
|
7
|
+
public :sanitize_for_mass_assignment
|
8
|
+
end
|
9
|
+
|
10
|
+
class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
|
11
|
+
test "forbidden attributes cannot be used for mass updating" do
|
12
|
+
assert_raises(ActiveModel::ForbiddenAttributes) do
|
13
|
+
Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(a: "b"))
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
test "permitted attributes can be used for mass updating" do
|
18
|
+
assert_nothing_raised do
|
19
|
+
assert_equal({ "a" => "b" },
|
20
|
+
Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(a: "b").permit(:a)))
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
test "regular attributes should still be allowed" do
|
25
|
+
assert_nothing_raised do
|
26
|
+
assert_equal({ a: "b" },
|
27
|
+
Person.new.sanitize_for_mass_assignment(a: "b"))
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
require 'rails/generators/test_case'
|
2
|
+
require 'generators/rails/strong_parameters_controller_generator'
|
3
|
+
|
4
|
+
class StrongParametersControllerGeneratorTest < Rails::Generators::TestCase
|
5
|
+
tests Rails::Generators::StrongParametersControllerGenerator
|
6
|
+
arguments %w(User name:string age:integer --orm=none)
|
7
|
+
destination File.expand_path("../tmp", File.dirname(__FILE__))
|
8
|
+
setup :prepare_destination
|
9
|
+
|
10
|
+
def test_controller_content
|
11
|
+
run_generator
|
12
|
+
|
13
|
+
assert_file "app/controllers/users_controller.rb" do |content|
|
14
|
+
|
15
|
+
assert_instance_method :create, content do |m|
|
16
|
+
assert_match(/@user = User\.new\(user_params\)/, m)
|
17
|
+
assert_match(/@user\.save/, m)
|
18
|
+
assert_match(/@user\.errors/, m)
|
19
|
+
end
|
20
|
+
|
21
|
+
assert_instance_method :update, content do |m|
|
22
|
+
assert_match(/@user = User\.find\(params\[:id\]\)/, m)
|
23
|
+
assert_match(/@user\.update_attributes\(user_params\)/, m)
|
24
|
+
assert_match(/@user\.errors/, m)
|
25
|
+
end
|
26
|
+
|
27
|
+
assert_match(/def user_params/, content)
|
28
|
+
assert_match(/params\.require\(:user\)\.permit\(:age, :name\)/, content)
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
@@ -0,0 +1,34 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
require 'action_controller/parameters'
|
3
|
+
|
4
|
+
class MultiParameterAttributesTest < ActiveSupport::TestCase
|
5
|
+
test "permitted multi-parameter attribute keys" do
|
6
|
+
params = ActionController::Parameters.new({
|
7
|
+
book: {
|
8
|
+
"shipped_at(1i)" => "2012",
|
9
|
+
"shipped_at(2i)" => "3",
|
10
|
+
"shipped_at(3i)" => "25",
|
11
|
+
"shipped_at(4i)" => "10",
|
12
|
+
"shipped_at(5i)" => "15",
|
13
|
+
"published_at(1i)" => "1999",
|
14
|
+
"published_at(2i)" => "2",
|
15
|
+
"published_at(3i)" => "5"
|
16
|
+
}
|
17
|
+
})
|
18
|
+
|
19
|
+
permitted = params.permit book: [ :shipped_at ]
|
20
|
+
|
21
|
+
assert permitted.permitted?
|
22
|
+
|
23
|
+
assert_equal "2012", permitted[:book]["shipped_at(1i)"]
|
24
|
+
assert_equal "3", permitted[:book]["shipped_at(2i)"]
|
25
|
+
assert_equal "25", permitted[:book]["shipped_at(3i)"]
|
26
|
+
assert_equal "10", permitted[:book]["shipped_at(4i)"]
|
27
|
+
assert_equal "15", permitted[:book]["shipped_at(5i)"]
|
28
|
+
|
29
|
+
assert_nil permitted[:book]["published_at(1i)"]
|
30
|
+
assert_nil permitted[:book]["published_at(2i)"]
|
31
|
+
assert_nil permitted[:book]["published_at(3i)"]
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
@@ -0,0 +1,131 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
require 'action_controller/parameters'
|
3
|
+
|
4
|
+
class NestedParametersTest < ActiveSupport::TestCase
|
5
|
+
test "permitted nested parameters" do
|
6
|
+
params = ActionController::Parameters.new({
|
7
|
+
book: {
|
8
|
+
title: "Romeo and Juliet",
|
9
|
+
authors: [{
|
10
|
+
name: "William Shakespeare",
|
11
|
+
born: "1564-04-26"
|
12
|
+
}, {
|
13
|
+
name: "Christopher Marlowe"
|
14
|
+
}],
|
15
|
+
details: {
|
16
|
+
pages: 200,
|
17
|
+
genre: "Tragedy"
|
18
|
+
}
|
19
|
+
},
|
20
|
+
magazine: "Mjallo!"
|
21
|
+
})
|
22
|
+
|
23
|
+
permitted = params.permit book: [ :title, { authors: [ :name ] }, { details: :pages } ]
|
24
|
+
|
25
|
+
assert permitted.permitted?
|
26
|
+
assert_equal "Romeo and Juliet", permitted[:book][:title]
|
27
|
+
assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
|
28
|
+
assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
|
29
|
+
assert_equal 200, permitted[:book][:details][:pages]
|
30
|
+
assert_nil permitted[:book][:details][:genre]
|
31
|
+
assert_nil permitted[:book][:authors][1][:born]
|
32
|
+
assert_nil permitted[:magazine]
|
33
|
+
end
|
34
|
+
|
35
|
+
test "nested arrays with strings" do
|
36
|
+
params = ActionController::Parameters.new({
|
37
|
+
:book => {
|
38
|
+
:genres => ["Tragedy"]
|
39
|
+
}
|
40
|
+
})
|
41
|
+
|
42
|
+
permitted = params.permit :book => :genres
|
43
|
+
assert_equal ["Tragedy"], permitted[:book][:genres]
|
44
|
+
end
|
45
|
+
|
46
|
+
test "permit may specify symbols or strings" do
|
47
|
+
params = ActionController::Parameters.new({
|
48
|
+
book: {
|
49
|
+
title: "Romeo and Juliet",
|
50
|
+
author: "William Shakespeare"
|
51
|
+
},
|
52
|
+
magazine: "Shakespeare Today"
|
53
|
+
})
|
54
|
+
|
55
|
+
permitted = params.permit({ book: ["title", :author] }, "magazine")
|
56
|
+
assert_equal "Romeo and Juliet", permitted[:book][:title]
|
57
|
+
assert_equal "William Shakespeare", permitted[:book][:author]
|
58
|
+
assert_equal "Shakespeare Today", permitted[:magazine]
|
59
|
+
end
|
60
|
+
|
61
|
+
test "nested array with strings that should be hashes" do
|
62
|
+
params = ActionController::Parameters.new({
|
63
|
+
book: {
|
64
|
+
genres: ["Tragedy"]
|
65
|
+
}
|
66
|
+
})
|
67
|
+
|
68
|
+
permitted = params.permit book: { genres: :type }
|
69
|
+
assert_empty permitted[:book][:genres]
|
70
|
+
end
|
71
|
+
|
72
|
+
test "nested array with strings that should be hashes and additional values" do
|
73
|
+
params = ActionController::Parameters.new({
|
74
|
+
book: {
|
75
|
+
title: "Romeo and Juliet",
|
76
|
+
genres: ["Tragedy"]
|
77
|
+
}
|
78
|
+
})
|
79
|
+
|
80
|
+
permitted = params.permit book: [ :title, { genres: :type } ]
|
81
|
+
assert_equal "Romeo and Juliet", permitted[:book][:title]
|
82
|
+
assert_empty permitted[:book][:genres]
|
83
|
+
end
|
84
|
+
|
85
|
+
test "nested string that should be a hash" do
|
86
|
+
params = ActionController::Parameters.new({
|
87
|
+
book: {
|
88
|
+
genre: "Tragedy"
|
89
|
+
}
|
90
|
+
})
|
91
|
+
|
92
|
+
permitted = params.permit book: { genre: :type }
|
93
|
+
assert_nil permitted[:book][:genre]
|
94
|
+
end
|
95
|
+
|
96
|
+
test "fields_for_style_nested_params" do
|
97
|
+
params = ActionController::Parameters.new({
|
98
|
+
book: {
|
99
|
+
authors_attributes: {
|
100
|
+
:'0' => { name: 'William Shakespeare', age_of_death: '52' },
|
101
|
+
:'1' => { name: 'Unattributed Assistant' }
|
102
|
+
}
|
103
|
+
}
|
104
|
+
})
|
105
|
+
permitted = params.permit book: { authors_attributes: [ :name ] }
|
106
|
+
|
107
|
+
assert_not_nil permitted[:book][:authors_attributes]['0']
|
108
|
+
assert_not_nil permitted[:book][:authors_attributes]['1']
|
109
|
+
assert_nil permitted[:book][:authors_attributes]['0'][:age_of_death]
|
110
|
+
assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][:name]
|
111
|
+
assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][:name]
|
112
|
+
end
|
113
|
+
|
114
|
+
test "fields_for_style_nested_params with negative numbers" do
|
115
|
+
params = ActionController::Parameters.new({
|
116
|
+
book: {
|
117
|
+
authors_attributes: {
|
118
|
+
:'-1' => {name: 'William Shakespeare', age_of_death: '52'},
|
119
|
+
:'-2' => {name: 'Unattributed Assistant'}
|
120
|
+
}
|
121
|
+
}
|
122
|
+
})
|
123
|
+
permitted = params.permit book: {authors_attributes: [:name]}
|
124
|
+
|
125
|
+
assert_not_nil permitted[:book][:authors_attributes]['-1']
|
126
|
+
assert_not_nil permitted[:book][:authors_attributes]['-2']
|
127
|
+
assert_nil permitted[:book][:authors_attributes]['-1'][:age_of_death]
|
128
|
+
assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name]
|
129
|
+
assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name]
|
130
|
+
end
|
131
|
+
end
|
@@ -0,0 +1,10 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
require 'action_controller/parameters'
|
3
|
+
|
4
|
+
class ParametersRequireTest < ActiveSupport::TestCase
|
5
|
+
test "required parameters must be present not merely not nil" do
|
6
|
+
assert_raises(ActionController::ParameterMissing) do
|
7
|
+
ActionController::Parameters.new(person: {}).require(:person)
|
8
|
+
end
|
9
|
+
end
|
10
|
+
end
|
@@ -0,0 +1,68 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
require 'action_controller/parameters'
|
3
|
+
|
4
|
+
class ParametersTaintTest < ActiveSupport::TestCase
|
5
|
+
setup do
|
6
|
+
@params = ActionController::Parameters.new({ person: {
|
7
|
+
age: "32", name: { first: "David", last: "Heinemeier Hansson" }
|
8
|
+
}})
|
9
|
+
end
|
10
|
+
|
11
|
+
test "fetch raises ParameterMissing exception" do
|
12
|
+
e = assert_raises(ActionController::ParameterMissing) do
|
13
|
+
@params.fetch :foo
|
14
|
+
end
|
15
|
+
assert_equal :foo, e.param
|
16
|
+
end
|
17
|
+
|
18
|
+
test "fetch doesnt raise ParameterMissing exception if there is a default" do
|
19
|
+
assert_nothing_raised do
|
20
|
+
assert_equal "monkey", @params.fetch(:foo, "monkey")
|
21
|
+
assert_equal "monkey", @params.fetch(:foo) { "monkey" }
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
test "permitted is sticky on accessors" do
|
26
|
+
assert !@params.slice(:person).permitted?
|
27
|
+
assert !@params[:person][:name].permitted?
|
28
|
+
|
29
|
+
@params.each { |key, value| assert(value.permitted?) if key == :person }
|
30
|
+
|
31
|
+
assert !@params.fetch(:person).permitted?
|
32
|
+
|
33
|
+
assert !@params.values_at(:person).first.permitted?
|
34
|
+
end
|
35
|
+
|
36
|
+
test "permitted is sticky on mutators" do
|
37
|
+
assert !@params.delete_if { |k| k == :person }.permitted?
|
38
|
+
assert !@params.keep_if { |k,v| k == :person }.permitted?
|
39
|
+
end
|
40
|
+
|
41
|
+
test "permitted is sticky beyond merges" do
|
42
|
+
assert !@params.merge(a: "b").permitted?
|
43
|
+
end
|
44
|
+
|
45
|
+
test "modifying the parameters" do
|
46
|
+
@params[:person][:hometown] = "Chicago"
|
47
|
+
@params[:person][:family] = { brother: "Jonas" }
|
48
|
+
|
49
|
+
assert_equal "Chicago", @params[:person][:hometown]
|
50
|
+
assert_equal "Jonas", @params[:person][:family][:brother]
|
51
|
+
end
|
52
|
+
|
53
|
+
test "permitting parameters that are not there should not include the keys" do
|
54
|
+
assert !@params.permit(:person, :funky).has_key?(:funky)
|
55
|
+
end
|
56
|
+
|
57
|
+
test "permit state is kept on a dup" do
|
58
|
+
@params.permit!
|
59
|
+
assert_equal @params.permitted?, @params.dup.permitted?
|
60
|
+
end
|
61
|
+
|
62
|
+
test "permit is recursive" do
|
63
|
+
@params.permit!
|
64
|
+
assert @params.permitted?
|
65
|
+
assert @params[:person].permitted?
|
66
|
+
assert @params[:person][:name].permitted?
|
67
|
+
end
|
68
|
+
end
|
data/test/test_helper.rb
ADDED
@@ -0,0 +1,27 @@
|
|
1
|
+
# Configure Rails Environment
|
2
|
+
ENV["RAILS_ENV"] = "test"
|
3
|
+
|
4
|
+
require 'test/unit'
|
5
|
+
require 'strong_parameters'
|
6
|
+
|
7
|
+
module ActionController
|
8
|
+
SharedTestRoutes = ActionDispatch::Routing::RouteSet.new
|
9
|
+
SharedTestRoutes.draw do
|
10
|
+
match ':controller(/:action)'
|
11
|
+
end
|
12
|
+
|
13
|
+
class Base
|
14
|
+
include ActionController::Testing
|
15
|
+
include SharedTestRoutes.url_helpers
|
16
|
+
end
|
17
|
+
|
18
|
+
class ActionController::TestCase
|
19
|
+
setup do
|
20
|
+
@routes = SharedTestRoutes
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
|
26
|
+
# Load support files
|
27
|
+
Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each { |f| require f }
|
metadata
ADDED
@@ -0,0 +1,159 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: backported_strong_parameters
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.2.0
|
5
|
+
prerelease:
|
6
|
+
platform: ruby
|
7
|
+
authors:
|
8
|
+
- David Heinemeier Hansson
|
9
|
+
- Oren Dobzinski
|
10
|
+
autorequire:
|
11
|
+
bindir: bin
|
12
|
+
cert_chain: []
|
13
|
+
date: 2012-10-17 00:00:00.000000000 Z
|
14
|
+
dependencies:
|
15
|
+
- !ruby/object:Gem::Dependency
|
16
|
+
name: actionpack
|
17
|
+
requirement: !ruby/object:Gem::Requirement
|
18
|
+
none: false
|
19
|
+
requirements:
|
20
|
+
- - ! '>='
|
21
|
+
- !ruby/object:Gem::Version
|
22
|
+
version: '3.1'
|
23
|
+
- - <
|
24
|
+
- !ruby/object:Gem::Version
|
25
|
+
version: '4.0'
|
26
|
+
type: :runtime
|
27
|
+
prerelease: false
|
28
|
+
version_requirements: !ruby/object:Gem::Requirement
|
29
|
+
none: false
|
30
|
+
requirements:
|
31
|
+
- - ! '>='
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '3.1'
|
34
|
+
- - <
|
35
|
+
- !ruby/object:Gem::Version
|
36
|
+
version: '4.0'
|
37
|
+
- !ruby/object:Gem::Dependency
|
38
|
+
name: activemodel
|
39
|
+
requirement: !ruby/object:Gem::Requirement
|
40
|
+
none: false
|
41
|
+
requirements:
|
42
|
+
- - ! '>='
|
43
|
+
- !ruby/object:Gem::Version
|
44
|
+
version: '3.1'
|
45
|
+
- - <
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '4.0'
|
48
|
+
type: :runtime
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
none: false
|
52
|
+
requirements:
|
53
|
+
- - ! '>='
|
54
|
+
- !ruby/object:Gem::Version
|
55
|
+
version: '3.1'
|
56
|
+
- - <
|
57
|
+
- !ruby/object:Gem::Version
|
58
|
+
version: '4.0'
|
59
|
+
- !ruby/object:Gem::Dependency
|
60
|
+
name: railties
|
61
|
+
requirement: !ruby/object:Gem::Requirement
|
62
|
+
none: false
|
63
|
+
requirements:
|
64
|
+
- - ! '>='
|
65
|
+
- !ruby/object:Gem::Version
|
66
|
+
version: '3.1'
|
67
|
+
- - <
|
68
|
+
- !ruby/object:Gem::Version
|
69
|
+
version: '4.0'
|
70
|
+
type: :runtime
|
71
|
+
prerelease: false
|
72
|
+
version_requirements: !ruby/object:Gem::Requirement
|
73
|
+
none: false
|
74
|
+
requirements:
|
75
|
+
- - ! '>='
|
76
|
+
- !ruby/object:Gem::Version
|
77
|
+
version: '3.1'
|
78
|
+
- - <
|
79
|
+
- !ruby/object:Gem::Version
|
80
|
+
version: '4.0'
|
81
|
+
- !ruby/object:Gem::Dependency
|
82
|
+
name: rake
|
83
|
+
requirement: !ruby/object:Gem::Requirement
|
84
|
+
none: false
|
85
|
+
requirements:
|
86
|
+
- - ! '>='
|
87
|
+
- !ruby/object:Gem::Version
|
88
|
+
version: '0'
|
89
|
+
type: :development
|
90
|
+
prerelease: false
|
91
|
+
version_requirements: !ruby/object:Gem::Requirement
|
92
|
+
none: false
|
93
|
+
requirements:
|
94
|
+
- - ! '>='
|
95
|
+
- !ruby/object:Gem::Version
|
96
|
+
version: '0'
|
97
|
+
description:
|
98
|
+
email:
|
99
|
+
- david@heinemeierhansson.com
|
100
|
+
- orend2@gmail.com
|
101
|
+
executables: []
|
102
|
+
extensions: []
|
103
|
+
extra_rdoc_files: []
|
104
|
+
files:
|
105
|
+
- lib/action_controller/parameters.rb
|
106
|
+
- lib/active_model/forbidden_attributes_protection.rb
|
107
|
+
- lib/generators/rails/strong_parameters_controller_generator.rb
|
108
|
+
- lib/generators/rails/templates/controller.rb
|
109
|
+
- lib/generators/rails/USAGE
|
110
|
+
- lib/strong_parameters/railtie.rb
|
111
|
+
- lib/strong_parameters/version.rb
|
112
|
+
- lib/strong_parameters.rb
|
113
|
+
- MIT-LICENSE
|
114
|
+
- Rakefile
|
115
|
+
- README.rdoc
|
116
|
+
- test/action_controller_required_params_test.rb
|
117
|
+
- test/action_controller_tainted_params_test.rb
|
118
|
+
- test/active_model_mass_assignment_taint_protection_test.rb
|
119
|
+
- test/controller_generator_test.rb
|
120
|
+
- test/multi_parameter_attributes_test.rb
|
121
|
+
- test/nested_parameters_test.rb
|
122
|
+
- test/parameters_require_test.rb
|
123
|
+
- test/parameters_taint_test.rb
|
124
|
+
- test/test_helper.rb
|
125
|
+
homepage:
|
126
|
+
licenses: []
|
127
|
+
post_install_message:
|
128
|
+
rdoc_options: []
|
129
|
+
require_paths:
|
130
|
+
- lib
|
131
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
132
|
+
none: false
|
133
|
+
requirements:
|
134
|
+
- - ! '>='
|
135
|
+
- !ruby/object:Gem::Version
|
136
|
+
version: '0'
|
137
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
138
|
+
none: false
|
139
|
+
requirements:
|
140
|
+
- - ! '>='
|
141
|
+
- !ruby/object:Gem::Version
|
142
|
+
version: '0'
|
143
|
+
requirements: []
|
144
|
+
rubyforge_project:
|
145
|
+
rubygems_version: 1.8.23
|
146
|
+
signing_key:
|
147
|
+
specification_version: 3
|
148
|
+
summary: Permitted and required parameters for Action Pack
|
149
|
+
test_files:
|
150
|
+
- test/action_controller_required_params_test.rb
|
151
|
+
- test/action_controller_tainted_params_test.rb
|
152
|
+
- test/active_model_mass_assignment_taint_protection_test.rb
|
153
|
+
- test/controller_generator_test.rb
|
154
|
+
- test/multi_parameter_attributes_test.rb
|
155
|
+
- test/nested_parameters_test.rb
|
156
|
+
- test/parameters_require_test.rb
|
157
|
+
- test/parameters_taint_test.rb
|
158
|
+
- test/test_helper.rb
|
159
|
+
has_rdoc:
|