remembering_strong_parameters 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,25 @@
1
+ require 'test_helper'
2
+
3
+ class PeopleController < ActionController::Base
4
+ def create
5
+ render :text => params[:person].strengthened? ? "untainted" : "tainted"
6
+ end
7
+
8
+ def create_with_permit
9
+ render :text => params[:person].permit(:name).strengthened? ? "untainted" : "tainted"
10
+ end
11
+ end
12
+
13
+ class ActionControllerTaintedParamsTest < ActionController::TestCase
14
+ tests PeopleController
15
+
16
+ test "parameters are tainted" do
17
+ post :create, { :person => { :name => "Mjallo!" } }
18
+ assert_equal "tainted", response.body
19
+ end
20
+
21
+ test "parameters can be permitted and are then not tainted" do
22
+ post :create_with_permit, { :person => { :name => "Mjallo!" } }
23
+ assert_equal "untainted", response.body
24
+ end
25
+ end
@@ -0,0 +1,43 @@
1
+ require 'test_helper'
2
+
3
+ class Person
4
+ include ActiveModel::MassAssignmentSecurity
5
+ include ActiveModel::ForbiddenAttributesProtection
6
+
7
+ public :sanitize_for_mass_assignment
8
+ end
9
+
10
+ class ActiveModelMassUpdateProtectionTest < ActiveSupport::TestCase
11
+ test "forbidden attributes cannot be used for mass updating" do
12
+ assert_raises(ActionController::ParameterMissing) do
13
+ Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(:a => "b").require(:c))
14
+ end
15
+ end
16
+
17
+ test "forbidden attributes not passed on for mass updating when there are some matches" do
18
+ assert_equal(
19
+ {'c' => 'd'},
20
+ Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(:a => "b", :c => 'd').permit(:c))
21
+ )
22
+ end
23
+
24
+ test "attributes cannot be used for mass updating when nothing permitted" do
25
+ assert_raises(ActiveModel::ForbiddenAttributes) do
26
+ Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(:a => "b"))
27
+ end
28
+ end
29
+
30
+ test "permitted attributes can be used for mass updating" do
31
+ assert_nothing_raised do
32
+ assert_equal({ "a" => "b" },
33
+ Person.new.sanitize_for_mass_assignment(ActionController::Parameters.new(:a => "b").permit(:a)))
34
+ end
35
+ end
36
+
37
+ test "regular attributes should still be allowed" do
38
+ assert_nothing_raised do
39
+ assert_equal({ :a => "b" },
40
+ Person.new.sanitize_for_mass_assignment(:a => "b"))
41
+ end
42
+ end
43
+ end
@@ -0,0 +1,85 @@
1
+ require 'test_helper'
2
+ require 'action_controller/parameters'
3
+
4
+ class ChainedRequireAndPermitTest < ActiveSupport::TestCase
5
+ def setup
6
+ @params = ActionController::Parameters.new(
7
+ {
8
+ :things => {
9
+ :one => 1,
10
+ :two => 2
11
+ },
12
+
13
+ :foo => :bar
14
+ }
15
+ )
16
+ end
17
+
18
+ test "required with one present and one missing" do
19
+ assert_raises(ActionController::ParameterMissing) do
20
+ @params.strengthen(:foo => :require).strengthen(:something_else => :require)
21
+ end
22
+ end
23
+
24
+ test "required is present" do
25
+ assert_equal(
26
+ @params,
27
+ @params.strengthen(:foo => :require).strengthen(:things => [:one => :require, :two => :require])
28
+ )
29
+ end
30
+
31
+ test "part of param not within permitted" do
32
+ assert_equal(
33
+ {'foo' => :bar},
34
+ @params.permit(:foo).permit(:something_else)
35
+ )
36
+ end
37
+
38
+ test 'when everything present is permitted' do
39
+ assert_equal(
40
+ @params,
41
+ @params.permit(:foo).permit(:things => [:one, :two])
42
+ )
43
+ end
44
+
45
+ test 'everything present is within permitted' do
46
+ assert_equal(
47
+ @params,
48
+ @params.permit(:foo).permit(:things => [:one, :two]).permit(:something_else)
49
+ )
50
+ end
51
+
52
+ test "everything present is permitted or required" do
53
+ assert_equal(
54
+ @params,
55
+ @params.strengthen(:foo => :require).permit(:things => [:one, :two])
56
+ )
57
+ end
58
+
59
+ test 'everything present is within permitted or is required' do
60
+ assert_equal(
61
+ @params,
62
+ @params.strengthen(:foo => :require).permit(:things => [:one, :two]).permit(:something_else)
63
+ )
64
+ end
65
+
66
+ test 'everything present is within permitted or is required, but something else is required' do
67
+ assert_raises(ActionController::ParameterMissing) do
68
+ !@params.strengthen(:foo => :require).permit(:things => [:one, :two]).strengthen(:something_else => :require)
69
+ end
70
+ end
71
+
72
+ test 'require followed by permit on same object' do
73
+ assert_equal(
74
+ {'things' => @params['things']},
75
+ @params.strengthen(:things => :require).permit(:things => [:one, :two])
76
+ )
77
+ end
78
+
79
+ test 'working with child parameter' do
80
+ assert_equal(
81
+ @params['things'],
82
+ @params['things'].permit(:one, :two)
83
+ )
84
+ end
85
+ end
@@ -0,0 +1,6 @@
1
+ source :rubygems
2
+ gemspec :path => "./../.."
3
+
4
+ gem "actionpack", "~> 3.0.0"
5
+ gem "railties", "~> 3.0.0"
6
+ gem "activemodel", "~> 3.0.0"
@@ -0,0 +1,62 @@
1
+ PATH
2
+ remote: /Users/mgrosser/code/tools/strong_parameters
3
+ specs:
4
+ strong_parameters (0.1.6.dev)
5
+ actionpack (~> 3.0)
6
+ activemodel (~> 3.0)
7
+ railties (~> 3.0)
8
+
9
+ GEM
10
+ remote: http://rubygems.org/
11
+ specs:
12
+ abstract (1.0.0)
13
+ actionpack (3.0.17)
14
+ activemodel (= 3.0.17)
15
+ activesupport (= 3.0.17)
16
+ builder (~> 2.1.2)
17
+ erubis (~> 2.6.6)
18
+ i18n (~> 0.5.0)
19
+ rack (~> 1.2.5)
20
+ rack-mount (~> 0.6.14)
21
+ rack-test (~> 0.5.7)
22
+ tzinfo (~> 0.3.23)
23
+ activemodel (3.0.17)
24
+ activesupport (= 3.0.17)
25
+ builder (~> 2.1.2)
26
+ i18n (~> 0.5.0)
27
+ activesupport (3.0.17)
28
+ builder (2.1.2)
29
+ erubis (2.6.6)
30
+ abstract (>= 1.0.0)
31
+ i18n (0.5.0)
32
+ json (1.7.5)
33
+ metaclass (0.0.1)
34
+ mocha (0.12.7)
35
+ metaclass (~> 0.0.1)
36
+ rack (1.2.5)
37
+ rack-mount (0.6.14)
38
+ rack (>= 1.0.0)
39
+ rack-test (0.5.7)
40
+ rack (>= 1.0)
41
+ railties (3.0.17)
42
+ actionpack (= 3.0.17)
43
+ activesupport (= 3.0.17)
44
+ rake (>= 0.8.7)
45
+ rdoc (~> 3.4)
46
+ thor (~> 0.14.4)
47
+ rake (10.0.1)
48
+ rdoc (3.12)
49
+ json (~> 1.4)
50
+ thor (0.14.6)
51
+ tzinfo (0.3.35)
52
+
53
+ PLATFORMS
54
+ ruby
55
+
56
+ DEPENDENCIES
57
+ actionpack (~> 3.0.0)
58
+ activemodel (~> 3.0.0)
59
+ mocha (~> 0.12.0)
60
+ railties (~> 3.0.0)
61
+ rake
62
+ strong_parameters!
@@ -0,0 +1,6 @@
1
+ source :rubygems
2
+ gemspec :path => "./../.."
3
+
4
+ gem "actionpack", "~> 3.1.0"
5
+ gem "railties", "~> 3.1.0"
6
+ gem "activemodel", "~> 3.1.0"
@@ -0,0 +1,6 @@
1
+ source :rubygems
2
+ gemspec :path => "./../.."
3
+
4
+ gem "actionpack", "~> 3.2.0"
5
+ gem "railties", "~> 3.2.0"
6
+ gem "activemodel", "~> 3.2.0"
@@ -0,0 +1,25 @@
1
+ require 'test_helper'
2
+ require 'action_controller/parameters'
3
+
4
+
5
+ class HashFromTest < ActiveSupport::TestCase
6
+
7
+ def setup
8
+ @params = ActionController::Parameters.new
9
+ @text = 'foo'
10
+ end
11
+
12
+ test "single level array to hash" do
13
+ array = [:a, :b, :c]
14
+ hash = {:a => @text, :b => @text, :c => @text}
15
+ assert_equal(hash, @params.send(:hash_from, array, @text))
16
+ end
17
+
18
+ test 'multi-level array to hash' do
19
+ array = [:a, {:b => [:c, :d]}, :e]
20
+ hash = {:a => @text, :b => {:c => @text, :d => @text}, :e => @text}
21
+ assert_equal(hash, @params.send(:hash_from, array, @text))
22
+ end
23
+
24
+
25
+ end
@@ -0,0 +1,39 @@
1
+ require 'test_helper'
2
+ require 'action_controller/parameters'
3
+
4
+ class MultiParameterAttributesTest < ActiveSupport::TestCase
5
+ test "permitted multi-parameter attribute keys" do
6
+ params = ActionController::Parameters.new({
7
+ :book => {
8
+ "shipped_at(1i)" => "2012",
9
+ "shipped_at(2i)" => "3",
10
+ "shipped_at(3i)" => "25",
11
+ "shipped_at(4i)" => "10",
12
+ "shipped_at(5i)" => "15",
13
+ "published_at(1i)" => "1999",
14
+ "published_at(2i)" => "2",
15
+ "published_at(3i)" => "5",
16
+ "price(1)" => "R$",
17
+ "price(2f)" => "2.02"
18
+ }
19
+ })
20
+
21
+ permitted = params.permit :book => [ :shipped_at, :price ]
22
+
23
+ assert permitted.strengthened?, 'should be true permit calls stengthened'
24
+
25
+ assert_equal "2012", permitted[:book]["shipped_at(1i)"]
26
+ assert_equal "3", permitted[:book]["shipped_at(2i)"]
27
+ assert_equal "25", permitted[:book]["shipped_at(3i)"]
28
+ assert_equal "10", permitted[:book]["shipped_at(4i)"]
29
+ assert_equal "15", permitted[:book]["shipped_at(5i)"]
30
+
31
+ assert_equal "R$", permitted[:book]["price(1)"]
32
+ assert_equal "2.02", permitted[:book]["price(2f)"]
33
+
34
+ assert_nil permitted[:book]["published_at(1i)"]
35
+ assert_nil permitted[:book]["published_at(2i)"]
36
+ assert_nil permitted[:book]["published_at(3i)"]
37
+ end
38
+ end
39
+
@@ -0,0 +1,157 @@
1
+ require 'test_helper'
2
+ require 'action_controller/parameters'
3
+
4
+ class NestedParametersTest < ActiveSupport::TestCase
5
+ test "permitted nested parameters" do
6
+ params = ActionController::Parameters.new({
7
+ :book => {
8
+ :title => "Romeo and Juliet",
9
+ :authors => [{
10
+ :name => "William Shakespeare",
11
+ :born => "1564-04-26"
12
+ }, {
13
+ :name => "Christopher Marlowe"
14
+ }],
15
+ :details => {
16
+ :pages => 200,
17
+ :genre => "Tragedy"
18
+ }
19
+ },
20
+ :magazine => "Mjallo!"
21
+ })
22
+
23
+ permitted = params.permit :book => [ :title, { :authors => [ :name ] }, { :details => :pages } ]
24
+
25
+ assert permitted.strengthened?, 'should be true as permit calls strengthen'
26
+
27
+ assert_equal "Romeo and Juliet", permitted[:book][:title]
28
+ assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
29
+ assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
30
+ assert_equal 200, permitted[:book][:details][:pages]
31
+ assert_nil permitted[:book][:details][:genre]
32
+ assert_nil permitted[:book][:authors][1][:born]
33
+ assert_nil permitted[:magazine]
34
+ end
35
+
36
+ test "permitted nested parameters with a string or a symbol as a key" do
37
+ params = ActionController::Parameters.new({
38
+ :book => {
39
+ 'authors' => [
40
+ { :name => "William Shakespeare", :born => "1564-04-26" },
41
+ { :name => "Christopher Marlowe" }
42
+ ]
43
+ }
44
+ })
45
+
46
+ permitted = params.permit :book => [ { 'authors' => [ :name ] } ]
47
+
48
+ assert_equal "William Shakespeare", permitted[:book]['authors'][0][:name]
49
+ assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
50
+ assert_equal "Christopher Marlowe", permitted[:book]['authors'][1][:name]
51
+ assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
52
+
53
+ permitted = params.permit :book => [ { :authors => [ :name ] } ]
54
+
55
+ assert_equal "William Shakespeare", permitted[:book]['authors'][0][:name]
56
+ assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
57
+ assert_equal "Christopher Marlowe", permitted[:book]['authors'][1][:name]
58
+ assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
59
+ end
60
+
61
+ test "nested arrays with strings" do
62
+ params = ActionController::Parameters.new({
63
+ :book => {
64
+ :genres => ["Tragedy"]
65
+ }
66
+ })
67
+
68
+ permitted = params.permit :book => :genres
69
+ assert_equal ["Tragedy"], permitted[:book][:genres]
70
+ end
71
+
72
+ test "permit may specify symbols or strings" do
73
+ params = ActionController::Parameters.new({
74
+ :book => {
75
+ :title => "Romeo and Juliet",
76
+ :author => "William Shakespeare"
77
+ },
78
+ :magazine => "Shakespeare Today"
79
+ })
80
+
81
+ permitted = params.permit({ :book => ["title", :author] }, "magazine")
82
+ assert_equal "Romeo and Juliet", permitted[:book][:title]
83
+ assert_equal "William Shakespeare", permitted[:book][:author]
84
+ assert_equal "Shakespeare Today", permitted[:magazine]
85
+ end
86
+
87
+ test "nested array with strings that should be hashes" do
88
+ params = ActionController::Parameters.new({
89
+ :book => {
90
+ :genres => ["Tragedy"]
91
+ }
92
+ })
93
+
94
+ permitted = params.permit :book => { :genres => :type }
95
+ assert_equal [], permitted[:book][:genres]
96
+ end
97
+
98
+ test "nested array with strings that should be hashes and additional values" do
99
+ params = ActionController::Parameters.new({
100
+ :book => {
101
+ :title => "Romeo and Juliet",
102
+ :genres => ["Tragedy"]
103
+ }
104
+ })
105
+
106
+ permitted = params.permit :book => [ :title, { :genres => :type } ]
107
+ assert_equal "Romeo and Juliet", permitted[:book][:title]
108
+ assert permitted[:book][:genres].empty?
109
+ end
110
+
111
+ test "nested string that should be a hash" do
112
+ params = ActionController::Parameters.new({
113
+ :book => {
114
+ :genre => "Tragedy"
115
+ }
116
+ })
117
+
118
+ permitted = params.permit :book => { :genre => :type }
119
+ assert_nil permitted[:book][:genre]
120
+ end
121
+
122
+ test "fields_for_style_nested_params" do
123
+ params = ActionController::Parameters.new({
124
+ :book => {
125
+ :authors_attributes => {
126
+ :'0' => { :name => 'William Shakespeare', :age_of_death => '52' },
127
+ :'1' => { :name => 'Unattributed Assistant' }
128
+ }
129
+ }
130
+ })
131
+ permitted = params.permit :book => { :authors_attributes => [ :name ] }
132
+
133
+ assert_not_nil permitted[:book][:authors_attributes]['0']
134
+ assert_not_nil permitted[:book][:authors_attributes]['1']
135
+ assert_nil permitted[:book][:authors_attributes]['0'][:age_of_death]
136
+ assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][:name]
137
+ assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][:name]
138
+ end
139
+
140
+ test "fields_for_style_nested_params with negative numbers" do
141
+ params = ActionController::Parameters.new({
142
+ :book => {
143
+ :authors_attributes => {
144
+ :'-1' => { :name => 'William Shakespeare', :age_of_death => '52' },
145
+ :'-2' => { :name => 'Unattributed Assistant' }
146
+ }
147
+ }
148
+ })
149
+ permitted = params.permit :book => { :authors_attributes => [:name] }
150
+
151
+ assert_not_nil permitted[:book][:authors_attributes]['-1']
152
+ assert_not_nil permitted[:book][:authors_attributes]['-2']
153
+ assert_nil permitted[:book][:authors_attributes]['-1'][:age_of_death]
154
+ assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name]
155
+ assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name]
156
+ end
157
+ end