Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1271 from neo4jrb/fix-active-controller-params-7.1.x
Backporting #1245 (Unpermitted parameters) to 7.2.x
- Loading branch information
Showing
11 changed files
with
181 additions
and
43 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
module Neo4j::Shared | ||
module PermittedAttributes | ||
extend ActiveSupport::Concern | ||
include ActiveModel::ForbiddenAttributesProtection | ||
|
||
def process_attributes(attributes) | ||
attributes = sanitize_input_parameters(attributes) | ||
super(attributes) | ||
end | ||
|
||
def attributes=(attributes) | ||
attributes = sanitize_input_parameters(attributes) | ||
super(attributes) | ||
end | ||
|
||
protected | ||
|
||
# Check if an argument is a string or an ActionController::Parameters | ||
def hash_or_parameter?(args) | ||
args.is_a?(Hash) || args.respond_to?(:to_unsafe_h) | ||
end | ||
|
||
def sanitize_input_parameters(attributes) | ||
attributes = sanitize_for_mass_assignment(attributes) | ||
attributes.respond_to?(:symbolize_keys) ? attributes.symbolize_keys : attributes | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
63 changes: 63 additions & 0 deletions
63
spec/shared_examples/forbidden_attributes_shared_examples.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
shared_examples 'handles permitted parameters' do | ||
describe '#new' do | ||
it 'assigns permitted params' do | ||
using_action_controller do | ||
params.permit! | ||
expect(klass.new(create_params).attributes).to include(params.to_h) | ||
end | ||
end | ||
|
||
it 'fails on unpermitted parameters' do | ||
using_action_controller do | ||
expect { klass.new(create_params) }.to raise_error ActiveModel::ForbiddenAttributesError | ||
end | ||
end | ||
end | ||
|
||
describe '#create' do | ||
it 'assigns permitted params' do | ||
using_action_controller do | ||
params.permit! | ||
expect(klass.create(create_params).attributes).to include(params.to_h) | ||
end | ||
end | ||
|
||
it 'fails on unpermitted parameters' do | ||
using_action_controller do | ||
expect { klass.create(create_params) }.to raise_error ActiveModel::ForbiddenAttributesError | ||
end | ||
end | ||
end | ||
|
||
describe '#attributes=' do | ||
it 'assigns permitted params' do | ||
using_action_controller do | ||
params.permit! | ||
subject.attributes = params | ||
expect(subject.attributes).to include(params.to_h) | ||
end | ||
end | ||
|
||
it 'fails on unpermitted parameters' do | ||
using_action_controller do | ||
expect { subject.attributes = params }.to raise_error ActiveModel::ForbiddenAttributesError | ||
end | ||
end | ||
end | ||
|
||
describe '#update' do | ||
it 'assigns permitted params' do | ||
using_action_controller do | ||
params.permit! | ||
subject.update(params) | ||
expect(subject.attributes).to include(params.to_h) | ||
end | ||
end | ||
|
||
it 'fails on unpermitted parameters' do | ||
using_action_controller do | ||
expect { klass.new.update(params) }.to raise_error ActiveModel::ForbiddenAttributesError | ||
end | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters