remembering_strong_parameters 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/MIT-LICENSE +20 -0
- data/README.rdoc +63 -0
- data/Rakefile +28 -0
- data/lib/action_controller/parameters.rb +291 -0
- data/lib/active_model/forbidden_attributes_protection.rb +17 -0
- data/lib/remembering_strong_parameters/version.rb +3 -0
- data/lib/remembering_strong_parameters.rb +2 -0
- data/test/action_controller_required_params_test.rb +52 -0
- data/test/action_controller_tainted_params_test.rb +25 -0
- data/test/active_model_mass_assignment_taint_protection_test.rb +43 -0
- data/test/chained_require_and_permit_test.rb +85 -0
- data/test/gemfiles/Gemfile.rails-3.0.x +6 -0
- data/test/gemfiles/Gemfile.rails-3.0.x.lock +62 -0
- data/test/gemfiles/Gemfile.rails-3.1.x +6 -0
- data/test/gemfiles/Gemfile.rails-3.2.x +6 -0
- data/test/hash_from_test.rb +25 -0
- data/test/multi_parameter_attributes_test.rb +39 -0
- data/test/nested_parameters_test.rb +157 -0
- data/test/parameters_require_test.rb +10 -0
- data/test/parameters_taint_test.rb +94 -0
- data/test/strengthen_test.rb +147 -0
- data/test/strong_array_test.rb +49 -0
- data/test/test_helper.rb +28 -0
- metadata +149 -0
@@ -0,0 +1,25 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
|
3
|
+
class PeopleController < ActionController::Base
|
4
|
+
def create
|
5
|
+
render :text => params[:person].strengthened? ? "untainted" : "tainted"
|
6
|
+
end
|
7
|
+
|
8
|
+
def create_with_permit
|
9
|
+
render :text => params[:person].permit(:name).strengthened? ? "untainted" : "tainted"
|
10
|
+
end
|
11
|
+
end
|
12
|
+
|
13
|
+
class ActionControllerTaintedParamsTest < ActionController::TestCase
|
14
|
+
tests PeopleController
|
15
|
+
|
16
|
+
test "parameters are tainted" do
|
17
|
+
post :create, { :person => { :name => "Mjallo!" } }
|
18
|
+
assert_equal "tainted", response.body
|
19
|
+
end
|
20
|
+
|
21
|
+
test "parameters can be permitted and are then not tainted" do
|
22
|
+
post :create_with_permit, { :person => { :name => "Mjallo!" } }
|
23
|
+
assert_equal "untainted", response.body
|
24
|
+
end
|
25
|
+
end
|
@@ -0,0 +1,43 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
|
3
|
+
class Person
|
4
|
+
include ActiveModel::MassAssignmentSecurity
|
5
|
+
include ActiveModel::ForbiddenAttributesProtection
|
6
|
+
|
7
|
+
public :sanitize_for_mass_assignment
|
8
|
+
end
|
9
|
+
|
10
|
+
class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
|
11
|
+
test "forbidden attributes cannot be used for mass updating" do
|
12
|
+
assert_raises(ActionController::ParameterMissing) do
|
13
|
+
Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(:a => "b").require(:c))
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
test "forbidden attributes not passed on for mass updating when there are some matches" do
|
18
|
+
assert_equal(
|
19
|
+
{'c' => 'd'},
|
20
|
+
Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(:a => "b", :c => 'd').permit(:c))
|
21
|
+
)
|
22
|
+
end
|
23
|
+
|
24
|
+
test "attributes cannot be used for mass updating when nothing permitted" do
|
25
|
+
assert_raises(ActiveModel::ForbiddenAttributes) do
|
26
|
+
Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(:a => "b"))
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
test "permitted attributes can be used for mass updating" do
|
31
|
+
assert_nothing_raised do
|
32
|
+
assert_equal({ "a" => "b" },
|
33
|
+
Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(:a => "b").permit(:a)))
|
34
|
+
end
|
35
|
+
end
|
36
|
+
|
37
|
+
test "regular attributes should still be allowed" do
|
38
|
+
assert_nothing_raised do
|
39
|
+
assert_equal({ :a => "b" },
|
40
|
+
Person.new.sanitize_for_mass_assignment(:a => "b"))
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
@@ -0,0 +1,85 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
require 'action_controller/parameters'
|
3
|
+
|
4
|
+
class ChainedRequireAndPermitTest < ActiveSupport::TestCase
|
5
|
+
def setup
|
6
|
+
@params = ActionController::Parameters.new(
|
7
|
+
{
|
8
|
+
:things => {
|
9
|
+
:one => 1,
|
10
|
+
:two => 2
|
11
|
+
},
|
12
|
+
|
13
|
+
:foo => :bar
|
14
|
+
}
|
15
|
+
)
|
16
|
+
end
|
17
|
+
|
18
|
+
test "required with one present and one missing" do
|
19
|
+
assert_raises(ActionController::ParameterMissing) do
|
20
|
+
@params.strengthen(:foo => :require).strengthen(:something_else => :require)
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
test "required is present" do
|
25
|
+
assert_equal(
|
26
|
+
@params,
|
27
|
+
@params.strengthen(:foo => :require).strengthen(:things => [:one => :require, :two => :require])
|
28
|
+
)
|
29
|
+
end
|
30
|
+
|
31
|
+
test "part of param not within permitted" do
|
32
|
+
assert_equal(
|
33
|
+
{'foo' => :bar},
|
34
|
+
@params.permit(:foo).permit(:something_else)
|
35
|
+
)
|
36
|
+
end
|
37
|
+
|
38
|
+
test 'when everything present is permitted' do
|
39
|
+
assert_equal(
|
40
|
+
@params,
|
41
|
+
@params.permit(:foo).permit(:things => [:one, :two])
|
42
|
+
)
|
43
|
+
end
|
44
|
+
|
45
|
+
test 'everything present is within permitted' do
|
46
|
+
assert_equal(
|
47
|
+
@params,
|
48
|
+
@params.permit(:foo).permit(:things => [:one, :two]).permit(:something_else)
|
49
|
+
)
|
50
|
+
end
|
51
|
+
|
52
|
+
test "everything present is permitted or required" do
|
53
|
+
assert_equal(
|
54
|
+
@params,
|
55
|
+
@params.strengthen(:foo => :require).permit(:things => [:one, :two])
|
56
|
+
)
|
57
|
+
end
|
58
|
+
|
59
|
+
test 'everything present is within permitted or is required' do
|
60
|
+
assert_equal(
|
61
|
+
@params,
|
62
|
+
@params.strengthen(:foo => :require).permit(:things => [:one, :two]).permit(:something_else)
|
63
|
+
)
|
64
|
+
end
|
65
|
+
|
66
|
+
test 'everything present is within permitted or is required, but something else is required' do
|
67
|
+
assert_raises(ActionController::ParameterMissing) do
|
68
|
+
!@params.strengthen(:foo => :require).permit(:things => [:one, :two]).strengthen(:something_else => :require)
|
69
|
+
end
|
70
|
+
end
|
71
|
+
|
72
|
+
test 'require followed by permit on same object' do
|
73
|
+
assert_equal(
|
74
|
+
{'things' => @params['things']},
|
75
|
+
@params.strengthen(:things => :require).permit(:things => [:one, :two])
|
76
|
+
)
|
77
|
+
end
|
78
|
+
|
79
|
+
test 'working with child parameter' do
|
80
|
+
assert_equal(
|
81
|
+
@params['things'],
|
82
|
+
@params['things'].permit(:one, :two)
|
83
|
+
)
|
84
|
+
end
|
85
|
+
end
|
@@ -0,0 +1,62 @@
|
|
1
|
+
PATH
|
2
|
+
remote: /Users/mgrosser/code/tools/strong_parameters
|
3
|
+
specs:
|
4
|
+
strong_parameters (0.1.6.dev)
|
5
|
+
actionpack (~> 3.0)
|
6
|
+
activemodel (~> 3.0)
|
7
|
+
railties (~> 3.0)
|
8
|
+
|
9
|
+
GEM
|
10
|
+
remote: http://rubygems.org/
|
11
|
+
specs:
|
12
|
+
abstract (1.0.0)
|
13
|
+
actionpack (3.0.17)
|
14
|
+
activemodel (= 3.0.17)
|
15
|
+
activesupport (= 3.0.17)
|
16
|
+
builder (~> 2.1.2)
|
17
|
+
erubis (~> 2.6.6)
|
18
|
+
i18n (~> 0.5.0)
|
19
|
+
rack (~> 1.2.5)
|
20
|
+
rack-mount (~> 0.6.14)
|
21
|
+
rack-test (~> 0.5.7)
|
22
|
+
tzinfo (~> 0.3.23)
|
23
|
+
activemodel (3.0.17)
|
24
|
+
activesupport (= 3.0.17)
|
25
|
+
builder (~> 2.1.2)
|
26
|
+
i18n (~> 0.5.0)
|
27
|
+
activesupport (3.0.17)
|
28
|
+
builder (2.1.2)
|
29
|
+
erubis (2.6.6)
|
30
|
+
abstract (>= 1.0.0)
|
31
|
+
i18n (0.5.0)
|
32
|
+
json (1.7.5)
|
33
|
+
metaclass (0.0.1)
|
34
|
+
mocha (0.12.7)
|
35
|
+
metaclass (~> 0.0.1)
|
36
|
+
rack (1.2.5)
|
37
|
+
rack-mount (0.6.14)
|
38
|
+
rack (>= 1.0.0)
|
39
|
+
rack-test (0.5.7)
|
40
|
+
rack (>= 1.0)
|
41
|
+
railties (3.0.17)
|
42
|
+
actionpack (= 3.0.17)
|
43
|
+
activesupport (= 3.0.17)
|
44
|
+
rake (>= 0.8.7)
|
45
|
+
rdoc (~> 3.4)
|
46
|
+
thor (~> 0.14.4)
|
47
|
+
rake (10.0.1)
|
48
|
+
rdoc (3.12)
|
49
|
+
json (~> 1.4)
|
50
|
+
thor (0.14.6)
|
51
|
+
tzinfo (0.3.35)
|
52
|
+
|
53
|
+
PLATFORMS
|
54
|
+
ruby
|
55
|
+
|
56
|
+
DEPENDENCIES
|
57
|
+
actionpack (~> 3.0.0)
|
58
|
+
activemodel (~> 3.0.0)
|
59
|
+
mocha (~> 0.12.0)
|
60
|
+
railties (~> 3.0.0)
|
61
|
+
rake
|
62
|
+
strong_parameters!
|
@@ -0,0 +1,25 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
require 'action_controller/parameters'
|
3
|
+
|
4
|
+
|
5
|
+
class HashFromTest < ActiveSupport::TestCase
|
6
|
+
|
7
|
+
def setup
|
8
|
+
@params = ActionController::Parameters.new
|
9
|
+
@text = 'foo'
|
10
|
+
end
|
11
|
+
|
12
|
+
test "single level array to hash" do
|
13
|
+
array = [:a, :b, :c]
|
14
|
+
hash = {:a => @text, :b => @text, :c => @text}
|
15
|
+
assert_equal(hash, @params.send(:hash_from, array, @text))
|
16
|
+
end
|
17
|
+
|
18
|
+
test 'multi-level array to hash' do
|
19
|
+
array = [:a, {:b => [:c, :d]}, :e]
|
20
|
+
hash = {:a => @text, :b => {:c => @text, :d => @text}, :e => @text}
|
21
|
+
assert_equal(hash, @params.send(:hash_from, array, @text))
|
22
|
+
end
|
23
|
+
|
24
|
+
|
25
|
+
end
|
@@ -0,0 +1,39 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
require 'action_controller/parameters'
|
3
|
+
|
4
|
+
class MultiParameterAttributesTest < ActiveSupport::TestCase
|
5
|
+
test "permitted multi-parameter attribute keys" do
|
6
|
+
params = ActionController::Parameters.new({
|
7
|
+
:book => {
|
8
|
+
"shipped_at(1i)" => "2012",
|
9
|
+
"shipped_at(2i)" => "3",
|
10
|
+
"shipped_at(3i)" => "25",
|
11
|
+
"shipped_at(4i)" => "10",
|
12
|
+
"shipped_at(5i)" => "15",
|
13
|
+
"published_at(1i)" => "1999",
|
14
|
+
"published_at(2i)" => "2",
|
15
|
+
"published_at(3i)" => "5",
|
16
|
+
"price(1)" => "R$",
|
17
|
+
"price(2f)" => "2.02"
|
18
|
+
}
|
19
|
+
})
|
20
|
+
|
21
|
+
permitted = params.permit :book => [ :shipped_at, :price ]
|
22
|
+
|
23
|
+
assert permitted.strengthened?, 'should be true permit calls stengthened'
|
24
|
+
|
25
|
+
assert_equal "2012", permitted[:book]["shipped_at(1i)"]
|
26
|
+
assert_equal "3", permitted[:book]["shipped_at(2i)"]
|
27
|
+
assert_equal "25", permitted[:book]["shipped_at(3i)"]
|
28
|
+
assert_equal "10", permitted[:book]["shipped_at(4i)"]
|
29
|
+
assert_equal "15", permitted[:book]["shipped_at(5i)"]
|
30
|
+
|
31
|
+
assert_equal "R$", permitted[:book]["price(1)"]
|
32
|
+
assert_equal "2.02", permitted[:book]["price(2f)"]
|
33
|
+
|
34
|
+
assert_nil permitted[:book]["published_at(1i)"]
|
35
|
+
assert_nil permitted[:book]["published_at(2i)"]
|
36
|
+
assert_nil permitted[:book]["published_at(3i)"]
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
@@ -0,0 +1,157 @@
|
|
1
|
+
require 'test_helper'
|
2
|
+
require 'action_controller/parameters'
|
3
|
+
|
4
|
+
class NestedParametersTest < ActiveSupport::TestCase
|
5
|
+
test "permitted nested parameters" do
|
6
|
+
params = ActionController::Parameters.new({
|
7
|
+
:book => {
|
8
|
+
:title => "Romeo and Juliet",
|
9
|
+
:authors => [{
|
10
|
+
:name => "William Shakespeare",
|
11
|
+
:born => "1564-04-26"
|
12
|
+
}, {
|
13
|
+
:name => "Christopher Marlowe"
|
14
|
+
}],
|
15
|
+
:details => {
|
16
|
+
:pages => 200,
|
17
|
+
:genre => "Tragedy"
|
18
|
+
}
|
19
|
+
},
|
20
|
+
:magazine => "Mjallo!"
|
21
|
+
})
|
22
|
+
|
23
|
+
permitted = params.permit :book => [ :title, { :authors => [ :name ] }, { :details => :pages } ]
|
24
|
+
|
25
|
+
assert permitted.strengthened?, 'should be true as permit calls strengthen'
|
26
|
+
|
27
|
+
assert_equal "Romeo and Juliet", permitted[:book][:title]
|
28
|
+
assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
|
29
|
+
assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
|
30
|
+
assert_equal 200, permitted[:book][:details][:pages]
|
31
|
+
assert_nil permitted[:book][:details][:genre]
|
32
|
+
assert_nil permitted[:book][:authors][1][:born]
|
33
|
+
assert_nil permitted[:magazine]
|
34
|
+
end
|
35
|
+
|
36
|
+
test "permitted nested parameters with a string or a symbol as a key" do
|
37
|
+
params = ActionController::Parameters.new({
|
38
|
+
:book => {
|
39
|
+
'authors' => [
|
40
|
+
{ :name => "William Shakespeare", :born => "1564-04-26" },
|
41
|
+
{ :name => "Christopher Marlowe" }
|
42
|
+
]
|
43
|
+
}
|
44
|
+
})
|
45
|
+
|
46
|
+
permitted = params.permit :book => [ { 'authors' => [ :name ] } ]
|
47
|
+
|
48
|
+
assert_equal "William Shakespeare", permitted[:book]['authors'][0][:name]
|
49
|
+
assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
|
50
|
+
assert_equal "Christopher Marlowe", permitted[:book]['authors'][1][:name]
|
51
|
+
assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
|
52
|
+
|
53
|
+
permitted = params.permit :book => [ { :authors => [ :name ] } ]
|
54
|
+
|
55
|
+
assert_equal "William Shakespeare", permitted[:book]['authors'][0][:name]
|
56
|
+
assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
|
57
|
+
assert_equal "Christopher Marlowe", permitted[:book]['authors'][1][:name]
|
58
|
+
assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
|
59
|
+
end
|
60
|
+
|
61
|
+
test "nested arrays with strings" do
|
62
|
+
params = ActionController::Parameters.new({
|
63
|
+
:book => {
|
64
|
+
:genres => ["Tragedy"]
|
65
|
+
}
|
66
|
+
})
|
67
|
+
|
68
|
+
permitted = params.permit :book => :genres
|
69
|
+
assert_equal ["Tragedy"], permitted[:book][:genres]
|
70
|
+
end
|
71
|
+
|
72
|
+
test "permit may specify symbols or strings" do
|
73
|
+
params = ActionController::Parameters.new({
|
74
|
+
:book => {
|
75
|
+
:title => "Romeo and Juliet",
|
76
|
+
:author => "William Shakespeare"
|
77
|
+
},
|
78
|
+
:magazine => "Shakespeare Today"
|
79
|
+
})
|
80
|
+
|
81
|
+
permitted = params.permit({ :book => ["title", :author] }, "magazine")
|
82
|
+
assert_equal "Romeo and Juliet", permitted[:book][:title]
|
83
|
+
assert_equal "William Shakespeare", permitted[:book][:author]
|
84
|
+
assert_equal "Shakespeare Today", permitted[:magazine]
|
85
|
+
end
|
86
|
+
|
87
|
+
test "nested array with strings that should be hashes" do
|
88
|
+
params = ActionController::Parameters.new({
|
89
|
+
:book => {
|
90
|
+
:genres => ["Tragedy"]
|
91
|
+
}
|
92
|
+
})
|
93
|
+
|
94
|
+
permitted = params.permit :book => { :genres => :type }
|
95
|
+
assert_equal [], permitted[:book][:genres]
|
96
|
+
end
|
97
|
+
|
98
|
+
test "nested array with strings that should be hashes and additional values" do
|
99
|
+
params = ActionController::Parameters.new({
|
100
|
+
:book => {
|
101
|
+
:title => "Romeo and Juliet",
|
102
|
+
:genres => ["Tragedy"]
|
103
|
+
}
|
104
|
+
})
|
105
|
+
|
106
|
+
permitted = params.permit :book => [ :title, { :genres => :type } ]
|
107
|
+
assert_equal "Romeo and Juliet", permitted[:book][:title]
|
108
|
+
assert permitted[:book][:genres].empty?
|
109
|
+
end
|
110
|
+
|
111
|
+
test "nested string that should be a hash" do
|
112
|
+
params = ActionController::Parameters.new({
|
113
|
+
:book => {
|
114
|
+
:genre => "Tragedy"
|
115
|
+
}
|
116
|
+
})
|
117
|
+
|
118
|
+
permitted = params.permit :book => { :genre => :type }
|
119
|
+
assert_nil permitted[:book][:genre]
|
120
|
+
end
|
121
|
+
|
122
|
+
test "fields_for_style_nested_params" do
|
123
|
+
params = ActionController::Parameters.new({
|
124
|
+
:book => {
|
125
|
+
:authors_attributes => {
|
126
|
+
:'0' => { :name => 'William Shakespeare', :age_of_death => '52' },
|
127
|
+
:'1' => { :name => 'Unattributed Assistant' }
|
128
|
+
}
|
129
|
+
}
|
130
|
+
})
|
131
|
+
permitted = params.permit :book => { :authors_attributes => [ :name ] }
|
132
|
+
|
133
|
+
assert_not_nil permitted[:book][:authors_attributes]['0']
|
134
|
+
assert_not_nil permitted[:book][:authors_attributes]['1']
|
135
|
+
assert_nil permitted[:book][:authors_attributes]['0'][:age_of_death]
|
136
|
+
assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][:name]
|
137
|
+
assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][:name]
|
138
|
+
end
|
139
|
+
|
140
|
+
test "fields_for_style_nested_params with negative numbers" do
|
141
|
+
params = ActionController::Parameters.new({
|
142
|
+
:book => {
|
143
|
+
:authors_attributes => {
|
144
|
+
:'-1' => { :name => 'William Shakespeare', :age_of_death => '52' },
|
145
|
+
:'-2' => { :name => 'Unattributed Assistant' }
|
146
|
+
}
|
147
|
+
}
|
148
|
+
})
|
149
|
+
permitted = params.permit :book => { :authors_attributes => [:name] }
|
150
|
+
|
151
|
+
assert_not_nil permitted[:book][:authors_attributes]['-1']
|
152
|
+
assert_not_nil permitted[:book][:authors_attributes]['-2']
|
153
|
+
assert_nil permitted[:book][:authors_attributes]['-1'][:age_of_death]
|
154
|
+
assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name]
|
155
|
+
assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name]
|
156
|
+
end
|
157
|
+
end
|