Permalink
Browse files

Add config.action_controller.permit_all_attributes to bypass StrongPa…

…rameters protection
  • Loading branch information...
1 parent 1e1bee3 commit 1aaf4490b29afc99cf19b18c4edbb1f28e6c37f5 @guilleiguaran guilleiguaran committed Aug 30, 2012
View
1 actionpack/lib/action_controller.rb
@@ -2,6 +2,7 @@
require 'abstract_controller'
require 'action_dispatch'
require 'action_controller/metal/live'
+require 'action_controller/metal/strong_parameters'
module ActionController
extend ActiveSupport::Autoload
View
3 actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -13,12 +13,13 @@ def initialize(param)
end
class Parameters < ActiveSupport::HashWithIndifferentAccess
+ cattr_accessor :permit_all_parameters, instance_accessor: false
attr_accessor :permitted
alias :permitted? :permitted
def initialize(attributes = nil)
super(attributes)
- @permitted = false
+ @permitted = self.class.permit_all_parameters
end
def permit!
View
4 actionpack/lib/action_controller/railtie.rb
@@ -19,6 +19,10 @@ class Railtie < Rails::Railtie #:nodoc:
ActionController::Helpers.helpers_path = app.helpers_paths
end
+ initializer "action_controller.parameters_config" do |app|
+ ActionController::Parameters.permit_all_parameters = app.config.action_controller.delete(:permit_all_parameters)
+ end
+
initializer "action_controller.set_configs" do |app|
paths = app.config.paths
options = app.config.action_controller
View
14 actionpack/test/controller/parameters/parameters_permit_test.rb
@@ -56,4 +56,18 @@ class ParametersPermitTest < ActiveSupport::TestCase
@params.permit!
assert_equal @params.permitted?, @params.dup.permitted?
end
+
+ test "permitted takes a default value when Parameters.permit_all_parameters is set" do
+ begin
+ ActionController::Parameters.permit_all_parameters = true
+ params = ActionController::Parameters.new({ person: {
+ age: "32", name: { first: "David", last: "Heinemeier Hansson" }
+ }})
+
+ assert params.slice(:person).permitted?
+ assert params[:person][:name].permitted?
+ ensure
+ ActionController::Parameters.permit_all_parameters = false
+ end
+ end
end
View
22 railties/test/application/configuration_test.rb
@@ -560,6 +560,28 @@ def create
assert_equal '{"title"=>"foo"}', last_response.body
end
+ test "config.action_controller.permit_all_parameters = true" do
+ app_file 'app/controllers/posts_controller.rb', <<-RUBY
+ class PostsController < ActionController::Base
+ def create
+ render :text => params[:post].permitted? ? "permitted" : "forbidden"
+ end
+ end
+ RUBY
+
+ add_to_config <<-RUBY
+ routes.prepend do
+ resources :posts
+ end
+ config.action_controller.permit_all_parameters = true
+ RUBY
+
+ require "#{app_path}/config/environment"
+
+ post "/posts", {:post => {"title" =>"zomg"}}
+ assert_equal 'permitted', last_response.body
+ end
+
test "config.action_dispatch.ignore_accept_header" do
make_basic_app do |app|
app.config.action_dispatch.ignore_accept_header = true

0 comments on commit 1aaf449

Please sign in to comment.