backported_strong_parameters 0.2.0

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2012 David Heinemeier Hansson
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,53 @@
+= Strong Parameters
+
+With this plugin Action Controller parameters are forbidden to be used in Active Model mass assignments until they have been whitelisted. This means you'll have to make a conscious choice about which attributes to allow for mass updating and thus prevent accidentally exposing that which shouldn't be exposed.
+
+In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request with no effort.
+
+    class PeopleController < ActionController::Base
+      # This will raise an ActiveModel::ForbiddenAttributes exception because it's using mass assignment
+      # without an explicit permit step.
+      def create
+        Person.create(params[:person])
+      end
+
+      # This will pass with flying colors as long as there's a person key in the parameters, otherwise
+      # it'll raise a ActionController::MissingParameter exception, which will get caught by
+      # ActionController::Base and turned into that 400 Bad Request reply.
+      def update
+        redirect_to current_account.people.find(params[:id]).tap { |person|
+          person.update_attributes!(person_params)
+        }
+      end
+
+      private
+        # Using a private method to encapsulate the permissible parameters is just a good pattern
+        # since you'll be able to reuse the same permit list between create and update. Also, you
+        # can specialize this method with per-user checking of permissible attributes.
+        def person_params
+          params.require(:person).permit(:name, :age)
+        end
+    end
+
+You can also use permit on nested parameters, like:
+
+    params.permit(:name, friends: [ :name, { family: [ :name ] }])
+
+Thanks to Nick Kallen for the permit idea!
+
+== Installation
+
+In Gemfile:
+
+    gem 'strong_parameters'
+
+and then run `bundle`. To activate the strong parameters, you need to include this module in
+every model you want protected.
+
+    class Post < ActiveRecord::Base
+      include ActiveModel::ForbiddenAttributesProtection
+    end
+
+== Compatibility
+
+Due to a testing issue, this plugin is only fully compatible with Rails versions 3.1, 3.2 but not 4.0 and beyond, as it is part of Rails Core in 4.0.

data/Rakefile

@@ -0,0 +1,38 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'StrongParameters'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task :default => :test

data/lib/action_controller/parameters.rb

@@ -0,0 +1,143 @@
+require 'active_support/concern'
+require 'active_support/core_ext/hash/indifferent_access'
+require 'action_controller'
+
+module ActionController
+  class ParameterMissing < IndexError
+    attr_reader :param
+
+    def initialize(param)
+      @param = param
+      super("key not found: #{param}")
+    end
+  end
+
+  class Parameters < ActiveSupport::HashWithIndifferentAccess
+    attr_accessor :permitted
+    alias :permitted? :permitted
+
+    def initialize(attributes = nil)
+      super(attributes)
+      @permitted = false
+    end
+
+    def permit!
+      each_pair do |key, value|
+        convert_hashes_to_parameters(key, value)
+        self[key].permit! if self[key].respond_to? :permit!
+      end
+
+      @permitted = true
+      self
+    end
+
+    def require(key)
+      self[key].presence || raise(ActionController::ParameterMissing.new(key))
+    end
+
+    alias :required :require
+
+    def permit(*filters)
+      params = self.class.new
+
+      filters.each do |filter|
+        case filter
+        when Symbol, String then
+          params[filter] = self[filter] if has_key?(filter)
+          keys.grep(/\A#{Regexp.escape(filter)}\(\di\)\z/).each { |key| params[key] = self[key] }
+        when Hash then
+          self.slice(*filter.keys).each do |key, value|
+            return unless value
+
+            key = key.to_sym
+
+            params[key] = each_element(value) do |value|
+              # filters are a Hash, so we expect value to be a Hash too
+              next if filter.is_a?(Hash) && !value.is_a?(Hash)
+
+              value = self.class.new(value) if !value.respond_to?(:permit)
+
+              value.permit(*Array.wrap(filter[key]))
+            end
+          end
+        end
+      end
+
+      params.permit!
+    end
+
+    def [](key)
+      convert_hashes_to_parameters(key, super)
+    end
+
+    def fetch(key, *args)
+      convert_hashes_to_parameters(key, super)
+    rescue KeyError
+      raise ActionController::ParameterMissing.new(key)
+    end
+
+    def slice(*keys)
+      self.class.new(super)
+    end
+
+    def dup
+      super.tap do |duplicate|
+        duplicate.instance_variable_set :@permitted, @permitted
+      end
+    end
+
+    protected
+      def convert_value(value)
+        if value.class == Hash
+          self.class.new_from_hash_copying_default(value)
+        elsif value.is_a?(Array)
+          value.dup.replace(value.map { |e| convert_value(e) })
+        else
+          value
+        end
+      end
+
+    private
+      def convert_hashes_to_parameters(key, value)
+        if value.is_a?(Parameters) || !value.is_a?(Hash)
+          value
+        else
+          # Convert to Parameters on first access
+          self[key] = self.class.new(value)
+        end
+      end
+
+      def each_element(object)
+        if object.is_a?(Array)
+          object.map { |el| yield el }.compact
+        # fields_for on an array of records uses numeric hash keys
+        elsif object.is_a?(Hash) && object.keys.all? { |k| k =~ /\A-?\d+\z/ }
+          hash = object.class.new
+          object.each { |k,v| hash[k] = yield v }
+          hash
+        else
+          yield object
+        end
+      end
+  end
+
+  module StrongParameters
+    extend ActiveSupport::Concern
+
+    included do
+      rescue_from(ActionController::ParameterMissing) do |parameter_missing_exception|
+        render :text => "Required parameter missing: #{parameter_missing_exception.param}", :status => :bad_request
+      end
+    end
+
+    def params
+      @_params ||= Parameters.new(request.parameters)
+    end
+
+    def params=(val)
+      @_params = val.is_a?(Hash) ? Parameters.new(val) : val
+    end
+  end
+end
+
+ActionController::Base.send :include, ActionController::StrongParameters

data/lib/active_model/forbidden_attributes_protection.rb

@@ -0,0 +1,16 @@
+module ActiveModel
+  class ForbiddenAttributes < StandardError
+  end
+
+  module ForbiddenAttributesProtection
+    def sanitize_for_mass_assignment(new_attributes, options = {})
+      if !new_attributes.respond_to?(:permitted?) || new_attributes.permitted?
+        super
+      else
+        raise ActiveModel::ForbiddenAttributes
+      end
+    end
+  end
+end
+
+ActiveModel.autoload :ForbiddenAttributesProtection

data/lib/generators/rails/USAGE

@@ -0,0 +1,12 @@
+Description:
+    Stubs out a scaffolded controller and its views. Different from rails
+    scaffold_controller, it uses strong_parameters to whitelist permissible
+    attributes in a private method.
+    Pass the model name, either CamelCased or under_scored. The controller
+    name is retrieved as a pluralized version of the model name.
+
+    To create a controller within a module, specify the model name as a
+    path like 'parent_module/controller_name'.
+
+    This generates a controller class in app/controllers and invokes helper,
+    template engine and test framework generators.

data/lib/generators/rails/strong_parameters_controller_generator.rb

@@ -0,0 +1,10 @@
+require 'rails/generators/rails/scaffold_controller/scaffold_controller_generator'
+
+module Rails
+  module Generators
+    class StrongParametersControllerGenerator < ScaffoldControllerGenerator
+      argument :attributes, :type => :array, :default => [], :banner => "field:type field:type"
+      source_root File.expand_path("../templates", __FILE__)
+    end
+  end
+end

data/lib/generators/rails/templates/controller.rb

@@ -0,0 +1,94 @@
+<% module_namespacing do -%>
+class <%= controller_class_name %>Controller < ApplicationController
+  # GET <%= route_url %>
+  # GET <%= route_url %>.json
+  def index
+    @<%= plural_table_name %> = <%= orm_class.all(class_name) %>
+
+    respond_to do |format|
+      format.html # index.html.erb
+      format.json { render json: <%= "@#{plural_table_name}" %> }
+    end
+  end
+
+  # GET <%= route_url %>/1
+  # GET <%= route_url %>/1.json
+  def show
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+
+    respond_to do |format|
+      format.html # show.html.erb
+      format.json { render json: <%= "@#{singular_table_name}" %> }
+    end
+  end
+
+  # GET <%= route_url %>/new
+  # GET <%= route_url %>/new.json
+  def new
+    @<%= singular_table_name %> = <%= orm_class.build(class_name) %>
+
+    respond_to do |format|
+      format.html # new.html.erb
+      format.json { render json: <%= "@#{singular_table_name}" %> }
+    end
+  end
+
+  # GET <%= route_url %>/1/edit
+  def edit
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+  end
+
+  # POST <%= route_url %>
+  # POST <%= route_url %>.json
+  def create
+    @<%= singular_table_name %> = <%= orm_class.build(class_name, "#{singular_table_name}_params") %>
+
+    respond_to do |format|
+      if @<%= orm_instance.save %>
+        format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully created.'" %> }
+        format.json { render json: <%= "@#{singular_table_name}" %>, status: :created, location: <%= "@#{singular_table_name}" %> }
+      else
+        format.html { render action: "new" }
+        format.json { render json: <%= "@#{orm_instance.errors}" %>, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  # PATCH/PUT <%= route_url %>/1
+  # PATCH/PUT <%= route_url %>/1.json
+  def update
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+
+    respond_to do |format|
+      if @<%= orm_instance.update_attributes("#{singular_table_name}_params") %>
+        format.html { redirect_to @<%= singular_table_name %>, notice: <%= "'#{human_name} was successfully updated.'" %> }
+        format.json { head :no_content }
+      else
+        format.html { render action: "edit" }
+        format.json { render json: <%= "@#{orm_instance.errors}" %>, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  # DELETE <%= route_url %>/1
+  # DELETE <%= route_url %>/1.json
+  def destroy
+    @<%= singular_table_name %> = <%= orm_class.find(class_name, "params[:id]") %>
+    @<%= orm_instance.destroy %>
+
+    respond_to do |format|
+      format.html { redirect_to <%= index_helper %>_url }
+      format.json { head :no_content }
+    end
+  end
+
+  private
+
+    # Use this method to whitelist the permissible parameters. Example:
+    # params.require(:person).permit(:name, :age)
+    # Also, you can specialize this method with per-user checking of permissible attributes.
+    def <%= "#{singular_table_name}_params" %>
+      params.require(<%= ":#{singular_table_name}" %>).permit(<%= attributes.map {|a| ":#{a.name}" }.sort.join(', ') %>)
+    end
+end
+<% end -%>

data/lib/strong_parameters.rb

@@ -0,0 +1,3 @@
+require 'action_controller/parameters'
+require 'active_model/forbidden_attributes_protection'
+require 'strong_parameters/railtie'

data/lib/strong_parameters/railtie.rb

@@ -0,0 +1,11 @@
+require 'rails/railtie'
+
+module StrongParameters
+  class Railtie < ::Rails::Railtie
+    if config.respond_to?(:app_generators)
+      config.app_generators.scaffold_controller = :strong_parameters_controller
+    else
+      config.generators.scaffold_controller = :strong_parameters_controller
+    end
+  end
+end

data/lib/strong_parameters/version.rb

@@ -0,0 +1,3 @@
+module StrongParameters
+  VERSION = "0.2.0"
+end

data/test/action_controller_required_params_test.rb

@@ -0,0 +1,30 @@
+require 'test_helper'
+
+class BooksController < ActionController::Base
+  def create
+    params.require(:book).require(:name)
+    head :ok
+  end
+end
+
+class ActionControllerRequiredParamsTest < ActionController::TestCase
+  tests BooksController
+  
+  test "missing required parameters will raise exception" do
+    post :create, { magazine: { name: "Mjallo!" } }
+    assert_response :bad_request
+
+    post :create, { book: { title: "Mjallo!" } }
+    assert_response :bad_request
+  end
+  
+  test "required parameters that are present will not raise" do
+    post :create, { book: { name: "Mjallo!" } }
+    assert_response :ok
+  end
+  
+  test "missing parameters will be mentioned in the return" do
+    post :create, { magazine: { name: "Mjallo!" } }
+    assert_equal "Required parameter missing: book", response.body
+  end
+end

data/test/action_controller_tainted_params_test.rb

@@ -0,0 +1,25 @@
+require 'test_helper'
+
+class PeopleController < ActionController::Base
+  def create
+    render text: params[:person].permitted? ? "untainted" : "tainted"
+  end
+  
+  def create_with_permit
+    render text: params[:person].permit(:name).permitted? ? "untainted" : "tainted"
+  end
+end
+
+class ActionControllerTaintedParamsTest < ActionController::TestCase
+  tests PeopleController
+  
+  test "parameters are tainted" do
+    post :create, { person: { name: "Mjallo!" } }
+    assert_equal "tainted", response.body
+  end
+  
+  test "parameters can be permitted and are then not tainted" do
+    post :create_with_permit, { person: { name: "Mjallo!" } }
+    assert_equal "untainted", response.body
+  end
+end

data/test/active_model_mass_assignment_taint_protection_test.rb

@@ -0,0 +1,30 @@
+require 'test_helper'
+
+class Person
+  include ActiveModel::MassAssignmentSecurity
+  include ActiveModel::ForbiddenAttributesProtection
+  
+  public :sanitize_for_mass_assignment
+end
+
+class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
+  test "forbidden attributes cannot be used for mass updating" do
+    assert_raises(ActiveModel::ForbiddenAttributes) do
+      Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(a: "b"))
+    end
+  end
+
+  test "permitted attributes can be used for mass updating" do
+    assert_nothing_raised do
+      assert_equal({ "a" => "b" },
+        Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(a: "b").permit(:a)))
+    end
+  end
+  
+  test "regular attributes should still be allowed" do
+    assert_nothing_raised do
+      assert_equal({ a: "b" },
+        Person.new.sanitize_for_mass_assignment(a: "b"))
+    end
+  end
+end

data/test/controller_generator_test.rb

@@ -0,0 +1,31 @@
+require 'rails/generators/test_case'
+require 'generators/rails/strong_parameters_controller_generator'
+
+class StrongParametersControllerGeneratorTest < Rails::Generators::TestCase
+  tests Rails::Generators::StrongParametersControllerGenerator
+  arguments %w(User name:string age:integer --orm=none)
+  destination File.expand_path("../tmp", File.dirname(__FILE__))
+  setup :prepare_destination
+
+  def test_controller_content
+    run_generator
+
+    assert_file "app/controllers/users_controller.rb" do |content|
+
+      assert_instance_method :create, content do |m|
+        assert_match(/@user = User\.new\(user_params\)/, m)
+        assert_match(/@user\.save/, m)
+        assert_match(/@user\.errors/, m)
+      end
+
+      assert_instance_method :update, content do |m|
+        assert_match(/@user = User\.find\(params\[:id\]\)/, m)
+        assert_match(/@user\.update_attributes\(user_params\)/, m)
+        assert_match(/@user\.errors/, m)
+      end
+
+      assert_match(/def user_params/, content)
+      assert_match(/params\.require\(:user\)\.permit\(:age, :name\)/, content)
+    end
+  end
+end

data/test/multi_parameter_attributes_test.rb

@@ -0,0 +1,34 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class MultiParameterAttributesTest < ActiveSupport::TestCase
+  test "permitted multi-parameter attribute keys" do
+    params = ActionController::Parameters.new({
+      book: {
+        "shipped_at(1i)" => "2012",
+        "shipped_at(2i)" => "3",
+        "shipped_at(3i)" => "25",
+        "shipped_at(4i)" => "10",
+        "shipped_at(5i)" => "15",
+        "published_at(1i)"   => "1999",
+        "published_at(2i)"   => "2",
+        "published_at(3i)"   => "5"
+      }
+    })
+
+    permitted = params.permit book: [ :shipped_at ]
+
+    assert permitted.permitted?
+
+    assert_equal "2012", permitted[:book]["shipped_at(1i)"]
+    assert_equal "3", permitted[:book]["shipped_at(2i)"]
+    assert_equal "25", permitted[:book]["shipped_at(3i)"]
+    assert_equal "10", permitted[:book]["shipped_at(4i)"]
+    assert_equal "15", permitted[:book]["shipped_at(5i)"]
+
+    assert_nil permitted[:book]["published_at(1i)"]
+    assert_nil permitted[:book]["published_at(2i)"]
+    assert_nil permitted[:book]["published_at(3i)"]
+  end
+end
+

data/test/nested_parameters_test.rb

@@ -0,0 +1,131 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class NestedParametersTest < ActiveSupport::TestCase
+  test "permitted nested parameters" do
+    params = ActionController::Parameters.new({
+      book: {
+        title: "Romeo and Juliet",
+        authors: [{
+          name: "William Shakespeare",
+          born: "1564-04-26"
+        }, {
+          name: "Christopher Marlowe"
+        }],
+        details: {
+          pages: 200,
+          genre: "Tragedy"
+        }
+      },
+      magazine: "Mjallo!"
+    })
+
+    permitted = params.permit book: [ :title, { authors: [ :name ] }, { details: :pages } ]
+
+    assert permitted.permitted?
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
+    assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
+    assert_equal 200, permitted[:book][:details][:pages]
+    assert_nil permitted[:book][:details][:genre]
+    assert_nil permitted[:book][:authors][1][:born]
+    assert_nil permitted[:magazine]
+  end
+
+  test "nested arrays with strings" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :genres => ["Tragedy"]
+      }
+    })
+
+    permitted = params.permit :book => :genres
+    assert_equal ["Tragedy"], permitted[:book][:genres]
+  end
+
+  test "permit may specify symbols or strings" do
+    params = ActionController::Parameters.new({
+      book: {
+        title: "Romeo and Juliet",
+        author: "William Shakespeare"
+      },
+      magazine: "Shakespeare Today"
+    })
+
+    permitted = params.permit({ book: ["title", :author] }, "magazine")
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert_equal "William Shakespeare", permitted[:book][:author]
+    assert_equal "Shakespeare Today", permitted[:magazine]
+  end
+
+  test "nested array with strings that should be hashes" do
+    params = ActionController::Parameters.new({
+      book: {
+        genres: ["Tragedy"]
+      }
+    })
+
+    permitted = params.permit book: { genres: :type }
+    assert_empty permitted[:book][:genres]
+  end
+
+  test "nested array with strings that should be hashes and additional values" do
+    params = ActionController::Parameters.new({
+      book: {
+        title: "Romeo and Juliet",
+        genres: ["Tragedy"]
+      }
+    })
+
+    permitted = params.permit book: [ :title, { genres: :type } ]
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert_empty permitted[:book][:genres]
+  end
+
+  test "nested string that should be a hash" do
+    params = ActionController::Parameters.new({
+      book: {
+        genre: "Tragedy"
+      }
+    })
+
+    permitted = params.permit book: { genre: :type }
+    assert_nil permitted[:book][:genre]
+  end
+
+  test "fields_for_style_nested_params" do
+    params = ActionController::Parameters.new({
+      book: {
+        authors_attributes: {
+          :'0' => { name: 'William Shakespeare', age_of_death: '52' },
+          :'1' => { name: 'Unattributed Assistant' }
+        }
+      }
+    })
+    permitted = params.permit book: { authors_attributes: [ :name ] }
+
+    assert_not_nil permitted[:book][:authors_attributes]['0']
+    assert_not_nil permitted[:book][:authors_attributes]['1']
+    assert_nil permitted[:book][:authors_attributes]['0'][:age_of_death]
+    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][:name]
+  end
+
+  test "fields_for_style_nested_params with negative numbers" do
+    params    = ActionController::Parameters.new({
+      book: {
+        authors_attributes: {
+          :'-1' => {name: 'William Shakespeare', age_of_death: '52'},
+          :'-2' => {name: 'Unattributed Assistant'}
+        }
+      }
+    })
+    permitted = params.permit book: {authors_attributes: [:name]}
+
+    assert_not_nil permitted[:book][:authors_attributes]['-1']
+    assert_not_nil permitted[:book][:authors_attributes]['-2']
+    assert_nil permitted[:book][:authors_attributes]['-1'][:age_of_death]
+    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name]
+  end
+end

data/test/parameters_require_test.rb

@@ -0,0 +1,10 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class ParametersRequireTest < ActiveSupport::TestCase
+  test "required parameters must be present not merely not nil" do
+    assert_raises(ActionController::ParameterMissing) do
+      ActionController::Parameters.new(person: {}).require(:person)
+    end
+  end
+end

data/test/parameters_taint_test.rb

@@ -0,0 +1,68 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class ParametersTaintTest < ActiveSupport::TestCase
+  setup do
+    @params = ActionController::Parameters.new({ person: { 
+      age: "32", name: { first: "David", last: "Heinemeier Hansson" }
+    }})
+  end
+
+  test "fetch raises ParameterMissing exception" do
+    e = assert_raises(ActionController::ParameterMissing) do
+      @params.fetch :foo
+    end
+    assert_equal :foo, e.param
+  end
+
+  test "fetch doesnt raise ParameterMissing exception if there is a default" do
+    assert_nothing_raised do
+      assert_equal "monkey", @params.fetch(:foo, "monkey")
+      assert_equal "monkey", @params.fetch(:foo) { "monkey" }
+    end
+  end
+
+  test "permitted is sticky on accessors" do
+    assert !@params.slice(:person).permitted?
+    assert !@params[:person][:name].permitted?
+
+    @params.each { |key, value| assert(value.permitted?) if key == :person }
+
+    assert !@params.fetch(:person).permitted?
+
+    assert !@params.values_at(:person).first.permitted?
+  end
+
+  test "permitted is sticky on mutators" do
+    assert !@params.delete_if { |k| k == :person }.permitted?
+    assert !@params.keep_if { |k,v| k == :person }.permitted?
+  end
+
+  test "permitted is sticky beyond merges" do
+    assert !@params.merge(a: "b").permitted?
+  end
+
+  test "modifying the parameters" do
+    @params[:person][:hometown] = "Chicago"
+    @params[:person][:family] = { brother: "Jonas" }
+
+    assert_equal "Chicago", @params[:person][:hometown]
+    assert_equal "Jonas", @params[:person][:family][:brother]
+  end
+  
+  test "permitting parameters that are not there should not include the keys" do
+    assert !@params.permit(:person, :funky).has_key?(:funky)
+  end
+
+  test "permit state is kept on a dup" do
+    @params.permit!
+    assert_equal @params.permitted?, @params.dup.permitted?
+  end
+
+  test "permit is recursive" do
+    @params.permit!
+    assert @params.permitted?
+    assert @params[:person].permitted?
+    assert @params[:person][:name].permitted?
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,27 @@
+# Configure Rails Environment
+ENV["RAILS_ENV"] = "test"
+
+require 'test/unit'
+require 'strong_parameters'
+
+module ActionController
+  SharedTestRoutes = ActionDispatch::Routing::RouteSet.new
+  SharedTestRoutes.draw do
+    match ':controller(/:action)'
+  end
+
+  class Base
+    include ActionController::Testing
+    include SharedTestRoutes.url_helpers
+  end
+
+  class ActionController::TestCase
+    setup do
+      @routes = SharedTestRoutes
+    end
+  end
+end
+
+
+# Load support files
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each { |f| require f }

metadata

@@ -0,0 +1,159 @@
+--- !ruby/object:Gem::Specification
+name: backported_strong_parameters
+version: !ruby/object:Gem::Version
+  version: 0.2.0
+  prerelease: 
+platform: ruby
+authors:
+- David Heinemeier Hansson
+- Oren Dobzinski
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-10-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: actionpack
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '3.1'
+    - - <
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '3.1'
+    - - <
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: activemodel
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '3.1'
+    - - <
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '3.1'
+    - - <
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '3.1'
+    - - <
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '3.1'
+    - - <
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- david@heinemeierhansson.com
+- orend2@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/action_controller/parameters.rb
+- lib/active_model/forbidden_attributes_protection.rb
+- lib/generators/rails/strong_parameters_controller_generator.rb
+- lib/generators/rails/templates/controller.rb
+- lib/generators/rails/USAGE
+- lib/strong_parameters/railtie.rb
+- lib/strong_parameters/version.rb
+- lib/strong_parameters.rb
+- MIT-LICENSE
+- Rakefile
+- README.rdoc
+- test/action_controller_required_params_test.rb
+- test/action_controller_tainted_params_test.rb
+- test/active_model_mass_assignment_taint_protection_test.rb
+- test/controller_generator_test.rb
+- test/multi_parameter_attributes_test.rb
+- test/nested_parameters_test.rb
+- test/parameters_require_test.rb
+- test/parameters_taint_test.rb
+- test/test_helper.rb
+homepage: 
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: Permitted and required parameters for Action Pack
+test_files:
+- test/action_controller_required_params_test.rb
+- test/action_controller_tainted_params_test.rb
+- test/active_model_mass_assignment_taint_protection_test.rb
+- test/controller_generator_test.rb
+- test/multi_parameter_attributes_test.rb
+- test/nested_parameters_test.rb
+- test/parameters_require_test.rb
+- test/parameters_taint_test.rb
+- test/test_helper.rb
+has_rdoc: