Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

add support for controller-based param whitelisting (ala strong parameters) #237

Closed
wants to merge 2 commits into from

4 participants

@rubysolo

if the inherited resources controller has a method named _params, it will be called to construct the params hash that will be used for create/update.

@rubysolo rubysolo add support for controller-based param whitelisting (ala strong param…
…eters)

if the inherited resources controller has a method named <resource
name>_params, it will be called to construct the params hash that will
be used for create/update.
6325fcf
@jodigiordano

+1. @rubysolo the documentation of strong parameters states that Using a private method to encapsulate the permissible parameters is just a good pattern, so what do you think of respond_to?(whitelist_method, true) instead of respond_to?(whitelist_method) ?

@rubysolo

:+1: I'm down with that.

@garysweaver

Sorry if this is way off-topic, but anyone have any experience with using InheritedResources with ActiveAdmin? @latortuga said that this pull request was adding support for StrongParameters in InheritedResources, but looking at it again, I don't see any calls to permit here and it appears to just be adding similar behavior to SP. Is support for SP being added to IR, and if it is, will it support the ability to permit all parameters regardless of whether they relate to actual methods (attribute or otherwise), because that is something that AA needs, because of some password field related behavior it provides, as discussed here were a patch for SP in AA was being discussed (and AA uses IR heavily, so it would be better to do in IR): activeadmin/activeadmin#1731 Thanks.

@garysweaver garysweaver referenced this pull request in activeadmin/activeadmin
Closed

Add support for strong_parameters #1731

@garysweaver

Just saw: #236 - sorry for interrupting. Looks like calls to SP's permits are not getting added but that is something each person can put in themselves.

@rubysolo

You're right, this is not Strong Parameters proper, but the ability to do whitelisting in the controller similarly to SP. This patch should probably be revisited now that SP is more fully-baked and will be included in Rails 4.

@garysweaver

Yeah, since they are axing mass assignment security and SP isn't optional, we're going ahead and using Strong Parameters with Rails 3.2.8 (and ActiveAdmin which uses InheritedResources) and hitting pain head-on: https://github.com/rails/strong_parameters

@joelmoss

Closing this in favour of using strong parameters. Happy to accept a PR to integrate that. thx

@joelmoss joelmoss closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Sep 4, 2012
  1. @rubysolo

    add support for controller-based param whitelisting (ala strong param…

    rubysolo authored
    …eters)
    
    if the inherited resources controller has a method named <resource
    name>_params, it will be called to construct the params hash that will
    be used for create/update.
Commits on Oct 14, 2012
  1. @rubysolo
This page is out of date. Refresh to see the latest.
Showing with 18 additions and 1 deletion.
  1. +6 −1 lib/inherited_resources/base_helpers.rb
  2. +12 −0 test/base_test.rb
View
7 lib/inherited_resources/base_helpers.rb
@@ -305,7 +305,7 @@ def resource_params
# extract attributes from params
def build_resource_params
- rparams = [params[resource_request_name] || params[resource_instance_name] || {}]
+ rparams = [whitelisted_params || params[resource_request_name] || params[resource_instance_name] || {}]
if without_protection_given?
rparams << without_protection
else
@@ -315,6 +315,11 @@ def build_resource_params
rparams
end
+ def whitelisted_params
+ whitelist_method = :"#{ resource_request_name }_params"
+ respond_to?(whitelist_method, true) && self.send(whitelist_method)
+ end
+
# checking if role given
def role_given?
self.resources_configuration[:self][:role].present?
View
12 test/base_test.rb
@@ -18,6 +18,12 @@ def apply_scopes(object)
@scopes_applied = true
object
end
+
+private
+
+ def user_params
+ (params[:user] || {}).slice(:these)
+ end
end
module UserTestHelper
@@ -195,6 +201,12 @@ def test_expose_a_newly_create_user_when_saved_with_success_and_without_protecti
@controller.class.send(:without_protection, nil)
end
+ def test_supports_convention_for_constructing_whitelisted_resource_params
+ User.expects(:new).with({'these' => 'params'}).returns(mock_user(:save => true))
+ post :create, :user => {:these => 'params', :those => 'params'}
+ assert_equal mock_user, assigns(:user)
+ end
+
def test_redirect_to_the_created_user
User.stubs(:new).returns(mock_user(:save => true))
@controller.expects(:resource_url).returns('http://test.host/')
Something went wrong with that request. Please try again.