Permalink
Browse files

Never treat action or controller as unpermitted params

  • Loading branch information...
1 parent 4f002a1 commit ae3286b74346023a868d63c53cde562b1529ef2c @dhh dhh committed Jan 8, 2013
View
21 actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -95,6 +95,10 @@ class Parameters < ActiveSupport::HashWithIndifferentAccess
cattr_accessor :permit_all_parameters, instance_accessor: false
cattr_accessor :raise_on_unpermitted_parameters, instance_accessor: false
+ # Never raise an UnpermittedParameters exception because of these params
+ # are present. They are added by Rails and it's of no concern.
+ NEVER_UNPERMITTED_PARAMS = %w( controller action )
+
# Returns a new instance of <tt>ActionController::Parameters</tt>.
# Also, sets the +permitted+ attribute to the default value of
# <tt>ActionController::Parameters.permit_all_parameters</tt>.
@@ -251,12 +255,7 @@ def permit(*filters)
end
end
- if Parameters.raise_on_unpermitted_parameters
- unpermitted_keys = self.keys - params.keys
- if unpermitted_keys.any?
- raise ActionController::UnpermittedParameters.new(unpermitted_keys)
- end
- end
+ raise_on_unpermitted_parameters!(params)
params.permit!
end
@@ -336,6 +335,16 @@ def each_element(object)
yield object
end
end
+
+ def raise_on_unpermitted_parameters!(params)
+ if self.class.raise_on_unpermitted_parameters && unpermitted_keys(params).any?
+ raise ActionController::UnpermittedParameters.new(unpermitted_keys(params))
+ end
+ end
+
+ def unpermitted_keys(params)
+ self.keys - params.keys - NEVER_UNPERMITTED_PARAMS
+ end
end
# == Strong \Parameters
View
10 actionpack/test/controller/parameters/raise_on_unpermitted_parameters_test.rb
@@ -30,4 +30,14 @@ def teardown
params.permit(book: [:pages])
end
end
+
+ test "action and controller keys are safe to ignore" do
+ params = ActionController::Parameters.new({
+ action: 'index', controller: 'stuff', book: { pages: 65 }
+ })
+
+ assert_nothing_raised do
+ params.permit(book: [:pages])
+ end
+ end
end

0 comments on commit ae3286b

Please sign in to comment.