remembering_strong_parameters 0.0.1

data/test/action_controller_tainted_params_test.rb

@@ -0,0 +1,25 @@
+require 'test_helper'
+
+class PeopleController < ActionController::Base
+  def create
+    render :text => params[:person].strengthened? ? "untainted" : "tainted"
+  end
+
+  def create_with_permit
+    render :text => params[:person].permit(:name).strengthened? ? "untainted" : "tainted"
+  end
+end
+
+class ActionControllerTaintedParamsTest < ActionController::TestCase
+  tests PeopleController
+
+  test "parameters are tainted" do
+    post :create, { :person => { :name => "Mjallo!" } }
+    assert_equal "tainted", response.body
+  end
+
+  test "parameters can be permitted and are then not tainted" do
+    post :create_with_permit, { :person => { :name => "Mjallo!" } }
+    assert_equal "untainted", response.body
+  end
+end

data/test/active_model_mass_assignment_taint_protection_test.rb

@@ -0,0 +1,43 @@
+require 'test_helper'
+
+class Person
+  include ActiveModel::MassAssignmentSecurity
+  include ActiveModel::ForbiddenAttributesProtection
+
+  public :sanitize_for_mass_assignment
+end
+
+class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
+  test "forbidden attributes cannot be used for mass updating" do
+    assert_raises(ActionController::ParameterMissing) do
+      Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(:a => "b").require(:c))
+    end
+  end
+  
+  test "forbidden attributes not passed on for mass updating when there are some matches" do
+    assert_equal(
+      {'c' => 'd'},
+      Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(:a => "b", :c => 'd').permit(:c))
+    )
+  end
+  
+  test "attributes cannot be used for mass updating when nothing permitted" do
+    assert_raises(ActiveModel::ForbiddenAttributes) do
+      Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(:a => "b"))
+    end
+  end
+
+  test "permitted attributes can be used for mass updating" do
+    assert_nothing_raised do
+      assert_equal({ "a" => "b" },
+        Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(:a => "b").permit(:a)))
+    end
+  end
+
+  test "regular attributes should still be allowed" do
+    assert_nothing_raised do
+      assert_equal({ :a => "b" },
+        Person.new.sanitize_for_mass_assignment(:a => "b"))
+    end
+  end
+end

data/test/chained_require_and_permit_test.rb

@@ -0,0 +1,85 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class ChainedRequireAndPermitTest < ActiveSupport::TestCase
+  def setup
+    @params = ActionController::Parameters.new(
+      {
+        :things => {
+          :one => 1,
+          :two => 2
+        }, 
+          
+        :foo => :bar
+      }
+    )
+  end
+  
+  test "required with one present and one missing" do   
+    assert_raises(ActionController::ParameterMissing) do
+      @params.strengthen(:foo => :require).strengthen(:something_else => :require)
+    end
+  end
+  
+  test "required is present" do
+    assert_equal(
+      @params,
+      @params.strengthen(:foo => :require).strengthen(:things => [:one => :require, :two => :require])
+    )
+  end
+  
+  test "part of param not within permitted" do
+    assert_equal(
+      {'foo' => :bar},
+      @params.permit(:foo).permit(:something_else)
+    )
+  end
+  
+  test 'when everything present is permitted' do   
+    assert_equal(
+      @params,
+      @params.permit(:foo).permit(:things => [:one, :two])
+    )
+  end
+  
+  test 'everything present is within permitted' do
+    assert_equal(
+      @params,
+        @params.permit(:foo).permit(:things => [:one, :two]).permit(:something_else)
+      )
+  end
+  
+  test "everything present is permitted or required" do
+    assert_equal(
+      @params,
+      @params.strengthen(:foo => :require).permit(:things => [:one, :two])
+    )
+  end
+  
+  test 'everything present is within permitted or is required' do
+    assert_equal(
+      @params,
+      @params.strengthen(:foo => :require).permit(:things => [:one, :two]).permit(:something_else)
+    )
+  end
+    
+  test 'everything present is within permitted or is required, but something else is required' do
+    assert_raises(ActionController::ParameterMissing) do
+      !@params.strengthen(:foo => :require).permit(:things => [:one, :two]).strengthen(:something_else => :require)
+    end
+  end
+  
+  test 'require followed by permit on same object' do
+    assert_equal(
+      {'things' => @params['things']},
+      @params.strengthen(:things => :require).permit(:things => [:one, :two])
+    )
+  end
+  
+  test 'working with child parameter'  do
+    assert_equal(
+      @params['things'],
+      @params['things'].permit(:one, :two)
+    )
+  end
+end

data/test/gemfiles/Gemfile.rails-3.0.x

@@ -0,0 +1,6 @@
+source :rubygems
+gemspec :path => "./../.."
+
+gem "actionpack", "~> 3.0.0"
+gem "railties", "~> 3.0.0"
+gem "activemodel", "~> 3.0.0"

data/test/gemfiles/Gemfile.rails-3.0.x.lock

@@ -0,0 +1,62 @@
+PATH
+  remote: /Users/mgrosser/code/tools/strong_parameters
+  specs:
+    strong_parameters (0.1.6.dev)
+      actionpack (~> 3.0)
+      activemodel (~> 3.0)
+      railties (~> 3.0)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    abstract (1.0.0)
+    actionpack (3.0.17)
+      activemodel (= 3.0.17)
+      activesupport (= 3.0.17)
+      builder (~> 2.1.2)
+      erubis (~> 2.6.6)
+      i18n (~> 0.5.0)
+      rack (~> 1.2.5)
+      rack-mount (~> 0.6.14)
+      rack-test (~> 0.5.7)
+      tzinfo (~> 0.3.23)
+    activemodel (3.0.17)
+      activesupport (= 3.0.17)
+      builder (~> 2.1.2)
+      i18n (~> 0.5.0)
+    activesupport (3.0.17)
+    builder (2.1.2)
+    erubis (2.6.6)
+      abstract (>= 1.0.0)
+    i18n (0.5.0)
+    json (1.7.5)
+    metaclass (0.0.1)
+    mocha (0.12.7)
+      metaclass (~> 0.0.1)
+    rack (1.2.5)
+    rack-mount (0.6.14)
+      rack (>= 1.0.0)
+    rack-test (0.5.7)
+      rack (>= 1.0)
+    railties (3.0.17)
+      actionpack (= 3.0.17)
+      activesupport (= 3.0.17)
+      rake (>= 0.8.7)
+      rdoc (~> 3.4)
+      thor (~> 0.14.4)
+    rake (10.0.1)
+    rdoc (3.12)
+      json (~> 1.4)
+    thor (0.14.6)
+    tzinfo (0.3.35)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  actionpack (~> 3.0.0)
+  activemodel (~> 3.0.0)
+  mocha (~> 0.12.0)
+  railties (~> 3.0.0)
+  rake
+  strong_parameters!

data/test/gemfiles/Gemfile.rails-3.1.x

@@ -0,0 +1,6 @@
+source :rubygems
+gemspec :path => "./../.."
+
+gem "actionpack", "~> 3.1.0"
+gem "railties", "~> 3.1.0"
+gem "activemodel", "~> 3.1.0"

data/test/gemfiles/Gemfile.rails-3.2.x

@@ -0,0 +1,6 @@
+source :rubygems
+gemspec :path => "./../.."
+
+gem "actionpack", "~> 3.2.0"
+gem "railties", "~> 3.2.0"
+gem "activemodel", "~> 3.2.0"

data/test/hash_from_test.rb

@@ -0,0 +1,25 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+
+class HashFromTest < ActiveSupport::TestCase
+  
+  def setup
+    @params = ActionController::Parameters.new
+    @text = 'foo'
+  end
+  
+  test "single level array to hash" do
+    array = [:a, :b, :c]
+    hash = {:a => @text, :b => @text, :c => @text}
+    assert_equal(hash, @params.send(:hash_from, array, @text))
+  end
+  
+  test 'multi-level array to hash' do
+    array = [:a, {:b => [:c, :d]}, :e]
+    hash = {:a => @text, :b => {:c => @text, :d => @text}, :e => @text}
+    assert_equal(hash, @params.send(:hash_from, array, @text))
+  end
+  
+  
+end

data/test/multi_parameter_attributes_test.rb

@@ -0,0 +1,39 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class MultiParameterAttributesTest < ActiveSupport::TestCase
+  test "permitted multi-parameter attribute keys" do
+    params = ActionController::Parameters.new({
+      :book => {
+        "shipped_at(1i)"   => "2012",
+        "shipped_at(2i)"   => "3",
+        "shipped_at(3i)"   => "25",
+        "shipped_at(4i)"   => "10",
+        "shipped_at(5i)"   => "15",
+        "published_at(1i)" => "1999",
+        "published_at(2i)" => "2",
+        "published_at(3i)" => "5",
+        "price(1)"         => "R$",
+        "price(2f)"        => "2.02"
+      }
+    })
+
+    permitted = params.permit :book => [ :shipped_at, :price ]
+
+    assert permitted.strengthened?, 'should be true permit calls stengthened'
+
+    assert_equal "2012", permitted[:book]["shipped_at(1i)"]
+    assert_equal "3", permitted[:book]["shipped_at(2i)"]
+    assert_equal "25", permitted[:book]["shipped_at(3i)"]
+    assert_equal "10", permitted[:book]["shipped_at(4i)"]
+    assert_equal "15", permitted[:book]["shipped_at(5i)"]
+
+    assert_equal "R$", permitted[:book]["price(1)"]
+    assert_equal "2.02", permitted[:book]["price(2f)"]
+
+    assert_nil permitted[:book]["published_at(1i)"]
+    assert_nil permitted[:book]["published_at(2i)"]
+    assert_nil permitted[:book]["published_at(3i)"]
+  end
+end
+

data/test/nested_parameters_test.rb

@@ -0,0 +1,157 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class NestedParametersTest < ActiveSupport::TestCase
+  test "permitted nested parameters" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :title => "Romeo and Juliet",
+        :authors => [{
+          :name => "William Shakespeare",
+          :born => "1564-04-26"
+        }, {
+          :name => "Christopher Marlowe"
+        }],
+        :details => {
+          :pages => 200,
+          :genre => "Tragedy"
+        }
+      },
+      :magazine => "Mjallo!"
+    })
+
+    permitted = params.permit :book => [ :title, { :authors => [ :name ] }, { :details => :pages } ]
+
+    assert permitted.strengthened?, 'should be true as permit calls strengthen'
+    
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
+    assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
+    assert_equal 200, permitted[:book][:details][:pages]
+    assert_nil permitted[:book][:details][:genre]
+    assert_nil permitted[:book][:authors][1][:born]
+    assert_nil permitted[:magazine]
+  end
+
+  test "permitted nested parameters with a string or a symbol as a key" do
+    params = ActionController::Parameters.new({
+      :book => {
+        'authors' => [
+          { :name => "William Shakespeare", :born => "1564-04-26" },
+          { :name => "Christopher Marlowe" }
+        ]
+      }
+    })
+
+    permitted = params.permit :book => [ { 'authors' => [ :name ] } ]
+
+    assert_equal "William Shakespeare", permitted[:book]['authors'][0][:name]
+    assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
+    assert_equal "Christopher Marlowe", permitted[:book]['authors'][1][:name]
+    assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
+
+    permitted = params.permit :book => [ { :authors => [ :name ] } ]
+
+    assert_equal "William Shakespeare", permitted[:book]['authors'][0][:name]
+    assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
+    assert_equal "Christopher Marlowe", permitted[:book]['authors'][1][:name]
+    assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
+  end
+
+  test "nested arrays with strings" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :genres => ["Tragedy"]
+      }
+    })
+
+    permitted = params.permit :book => :genres
+    assert_equal ["Tragedy"], permitted[:book][:genres]
+  end
+
+  test "permit may specify symbols or strings" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :title => "Romeo and Juliet",
+        :author => "William Shakespeare"
+      },
+      :magazine => "Shakespeare Today"
+    })
+
+    permitted = params.permit({ :book => ["title", :author] }, "magazine")
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert_equal "William Shakespeare", permitted[:book][:author]
+    assert_equal "Shakespeare Today", permitted[:magazine]
+  end
+
+  test "nested array with strings that should be hashes" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :genres => ["Tragedy"]
+      }
+    })
+
+    permitted = params.permit :book => { :genres => :type }
+    assert_equal [], permitted[:book][:genres]
+  end
+
+  test "nested array with strings that should be hashes and additional values" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :title => "Romeo and Juliet",
+        :genres => ["Tragedy"]
+      }
+    })
+
+    permitted = params.permit :book => [ :title, { :genres => :type } ]
+    assert_equal "Romeo and Juliet", permitted[:book][:title]
+    assert permitted[:book][:genres].empty?
+  end
+
+  test "nested string that should be a hash" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :genre => "Tragedy"
+      }
+    })
+
+    permitted = params.permit :book => { :genre => :type }
+    assert_nil permitted[:book][:genre]
+  end
+
+  test "fields_for_style_nested_params" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :authors_attributes => {
+          :'0' => { :name => 'William Shakespeare', :age_of_death => '52' },
+          :'1' => { :name => 'Unattributed Assistant' }
+        }
+      }
+    })
+    permitted = params.permit :book => { :authors_attributes => [ :name ] }
+
+    assert_not_nil permitted[:book][:authors_attributes]['0']
+    assert_not_nil permitted[:book][:authors_attributes]['1']
+    assert_nil permitted[:book][:authors_attributes]['0'][:age_of_death]
+    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][:name]
+  end
+
+  test "fields_for_style_nested_params with negative numbers" do
+    params = ActionController::Parameters.new({
+      :book => {
+        :authors_attributes => {
+          :'-1' => { :name => 'William Shakespeare', :age_of_death => '52' },
+          :'-2' => { :name => 'Unattributed Assistant' }
+        }
+      }
+    })
+    permitted = params.permit :book => { :authors_attributes => [:name] }
+
+    assert_not_nil permitted[:book][:authors_attributes]['-1']
+    assert_not_nil permitted[:book][:authors_attributes]['-2']
+    assert_nil permitted[:book][:authors_attributes]['-1'][:age_of_death]
+    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name]
+    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name]
+  end
+end