strong_parameters_rails2 0.1.8 → 0.1.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fd5272c0c03e02872c20fc1cdc9ace4ebfc58ae6
-  data.tar.gz: 0e6280e42d1e44fd4902c75902b42faff5122494
+  metadata.gz: 390a52fd9ace0f224c4e6df6db5ef48cccaa157c
+  data.tar.gz: c1b919a40b5e92922699834207bffeb7e2c0881b
 SHA512:
-  metadata.gz: e23bf9ca80ab8720864f419b3b1cabf1eaf32219a537a08bf905123e069232f53ffcf8e4982213c199272d1c9576a1ee40a72cc2000fc2bef393034eeb903c93
-  data.tar.gz: 3d13d013011ed84ed5d3c936194f2a0a747261a4568a2b6c36262a08cf859340da7b21d8fc8722c140d0d9eb430d7756759dab47a6b00da2a312f1ba8491c7de
+  metadata.gz: b239417d4f5c9d0b3d3ca59549304e1904708ea8a682a91f3b9c2638a69040f77acf8e4aa51a3464fa1b3b63e5c17af0cb8e2d60f003af63a7ad8182cafd4711
+  data.tar.gz: 90c0e8d1fff476552cf70334958d11907f7816be47c29379515687a34b83c9d95b8af30ae1f73b68e64193624970540eca35b74c7a30138f9bdc28f991b2c075

data/README.rdoc

@@ -35,6 +35,12 @@ You can also use permit on nested parameters, like:
 
 Thanks to Nick Kallen for the permit idea!
 
+== Handling of Unpermitted Keys
+
+By default parameter keys that are not explicitly permitted will be logged in the development and test environment. In other environments these parameters will simply be filtered out and ignored.
+
+Additionally, this behaviour can be changed by changing the +ActionController::Parameters.action_on_unpermitted_parameters+ property in your initializer. If set to +:log+ the unpermitted attributes will be logged, if set to +:raise+ an exception will be raised.
+
 == Installation
 
 In Gemfile:

data/lib/action_controller/parameters.rb

@@ -11,10 +11,25 @@ module ActionController
     end
   end
 
+  class UnpermittedParameters < IndexError
+    attr_reader :params
+
+    def initialize(params)
+      @params = params
+      super("found unpermitted parameters: #{params.join(", ")}")
+    end
+  end
+
   class Parameters < HashWithIndifferentAccess
     attr_accessor :permitted
     alias :permitted? :permitted
 
+    cattr_accessor :action_on_unpermitted_parameters, :instance_accessor => false
+
+    # Never raise an UnpermittedParameters exception because of these params
+    # are present. They are added by Rails and it's of no concern.
+    NEVER_UNPERMITTED_PARAMS = %w( controller action )
+
     def initialize(attributes = nil)
       super(attributes)
       @permitted = false
@@ -62,6 +77,8 @@ module ActionController
         end
       end
 
+      unpermitted_parameters!(params) if self.class.action_on_unpermitted_parameters
+
       params.permit!
     end
 
@@ -120,6 +137,25 @@ module ActionController
           yield object
         end
       end
+
+      def unpermitted_parameters!(params)
+        return unless self.class.action_on_unpermitted_parameters
+
+        unpermitted_keys = unpermitted_keys(params)
+
+        if unpermitted_keys.any?
+          case self.class.action_on_unpermitted_parameters
+          when :log
+            ActionController::Base.logger.debug "Unpermitted parameters: #{unpermitted_keys.join(", ")}"
+          when :raise
+            raise ActionController::UnpermittedParameters.new(unpermitted_keys)
+          end
+        end
+      end
+
+      def unpermitted_keys(params)
+        self.keys - params.keys - NEVER_UNPERMITTED_PARAMS
+      end
   end
 end
 

data/lib/strong_parameters/version.rb

@@ -1,3 +1,3 @@
 module StrongParameters
-  VERSION = "0.1.8"
+  VERSION = "0.1.9"
 end

data/test/log_on_unpermitted_params_test.rb

@@ -0,0 +1,50 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class LogOnUnpermittedParamsTest < ActiveSupport::TestCase
+  def setup
+    ActionController::Parameters.action_on_unpermitted_parameters = :log
+  end
+
+  def teardown
+    ActionController::Parameters.action_on_unpermitted_parameters = false
+  end
+
+  test "logs on unexpected params" do
+    params = ActionController::Parameters.new({
+      :book => { :pages => 65 },
+      :fishing => "Turnips"
+    })
+
+    assert_logged("Unpermitted parameters: fishing") do
+      params.permit(:book => [:pages])
+    end
+  end
+
+  test "logs on unexpected nested params" do
+    params = ActionController::Parameters.new({
+      :book => { :pages => 65, :title => "Green Cats and where to find then." }
+    })
+
+    assert_logged("Unpermitted parameters: title") do
+      params.permit(:book => [:pages])
+    end
+  end
+
+  private
+
+  def assert_logged(message)
+    old_logger = ActionController::Base.logger
+    log = StringIO.new
+    ActionController::Base.logger = Logger.new(log)
+
+    begin
+      yield
+
+      log.rewind
+      assert_match message, log.read
+    ensure
+      ActionController::Base.logger = old_logger
+    end
+  end
+end

data/test/raise_on_unpermitted_params_test.rb

@@ -0,0 +1,33 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class RaiseOnUnpermittedParamsTest < ActiveSupport::TestCase
+  def setup
+    ActionController::Parameters.action_on_unpermitted_parameters = :raise
+  end
+
+  def teardown
+    ActionController::Parameters.action_on_unpermitted_parameters = false
+  end
+
+  test "raises on unexpected params" do
+    params = ActionController::Parameters.new({
+      :book => { :pages => 65 },
+      :fishing => "Turnips"
+    })
+
+    assert_raises(ActionController::UnpermittedParameters) do
+      params.permit(:book => [:pages])
+    end
+  end
+
+  test "raises on unexpected nested params" do
+    params = ActionController::Parameters.new({
+      :book => { :pages => 65, :title => "Green Cats and where to find then." }
+    })
+
+    assert_raises(ActionController::UnpermittedParameters) do
+      params.permit(:book => [:pages])
+    end
+  end
+end

data/test/test_helper.rb

@@ -16,3 +16,5 @@ ActionController::TestCase.class_eval do
     @response
   end
 end
+
+ActionController::Parameters.action_on_unpermitted_parameters = false

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: strong_parameters_rails2
 version: !ruby/object:Gem::Version
-  version: 0.1.8
+  version: 0.1.9
 platform: ruby
 authors:
 - Michael Grosser
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-12-02 00:00:00.000000000 Z
+date: 2014-02-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -112,10 +112,12 @@ files:
 - test/action_controller_required_params_test.rb
 - test/action_controller_tainted_params_test.rb
 - test/active_record_mass_assignment_taint_protection_test.rb
+- test/log_on_unpermitted_params_test.rb
 - test/multi_parameter_attributes_test.rb
 - test/nested_parameters_test.rb
 - test/parameters_require_test.rb
 - test/parameters_taint_test.rb
+- test/raise_on_unpermitted_params_test.rb
 - test/test_helper.rb
 homepage: https://github.com/grosser/strong_parameters/tree/rails2
 licenses:
@@ -137,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.3
+rubygems_version: 2.0.14
 signing_key: 
 specification_version: 4
 summary: Permitted and required parameters for Action Pack
@@ -145,8 +147,10 @@ test_files:
 - test/action_controller_required_params_test.rb
 - test/action_controller_tainted_params_test.rb
 - test/active_record_mass_assignment_taint_protection_test.rb
+- test/log_on_unpermitted_params_test.rb
 - test/multi_parameter_attributes_test.rb
 - test/nested_parameters_test.rb
 - test/parameters_require_test.rb
 - test/parameters_taint_test.rb
+- test/raise_on_unpermitted_params_test.rb
 - test/test_helper.rb