fix permitted? conditional for render calls

rails · Jan 30, 2016 · 8e468eb · 8e468eb
1 parent ec89b40
commit 8e468eb
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/actionpack/lib/abstract_controller/rendering.rb b/actionpack/lib/abstract_controller/rendering.rb
@@ -77,9 +77,12 @@ def view_assigns
     # render "foo/bar" to render :file => "foo/bar".
     # :api: plugin
     def _normalize_args(action=nil, options={})
-      if action.respond_to?(:permitted?) && action.permitted?
-        raise ArgumentError, "render parameters are not permitted"
-        action
+      if action.respond_to?(:permitted?)
+        if action.permitted?
+          action
+        else
+          raise ArgumentError, "render parameters are not permitted"
+        end
       elsif action.is_a?(Hash)
         action
       else

diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
@@ -62,6 +62,10 @@ def dynamic_render
     render params[:id] # => String, AC:Params
   end
 
+  def dynamic_render_permit
+    render params[:id].permit(:file)
+  end
+
   def dynamic_render_with_file
     # This is extremely bad, but should be possible to do.
     file = params[:id] # => String, AC:Params
@@ -298,6 +302,13 @@ def test_dynamic_render
     end
   end
 
+  def test_permitted_dynamic_render_file_hash
+    assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb'))
+    response = get :dynamic_render_permit, { id: { file: '../\\../test/abstract_unit.rb' } }
+    assert_equal File.read(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb')),
+      response.body
+  end
+
   def test_dynamic_render_file_hash
     assert_raises ArgumentError do
       get :dynamic_render, { id: { file: '../\\../test/abstract_unit.rb' } }