Skip to content

Commit

Permalink
Never treat action or controller as unpermitted params
Browse files Browse the repository at this point in the history
  • Loading branch information
@dhh
dhh committed Jan 8, 2013
1 parent 4f002a1 commit ae3286b
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 6 deletions.
21 changes: 15 additions & 6 deletions actionpack/lib/action_controller/metal/strong_parameters.rb
View file
Expand Up @@ -95,6 +95,10 @@ class Parameters < ActiveSupport::HashWithIndifferentAccess
cattr_accessor :permit_all_parameters, instance_accessor: false
cattr_accessor :raise_on_unpermitted_parameters, instance_accessor: false

# Never raise an UnpermittedParameters exception because of these params
# are present. They are added by Rails and it's of no concern.
NEVER_UNPERMITTED_PARAMS = %w( controller action )

# Returns a new instance of <tt>ActionController::Parameters</tt>.
# Also, sets the +permitted+ attribute to the default value of
# <tt>ActionController::Parameters.permit_all_parameters</tt>.
Expand Down Expand Up @@ -251,12 +255,7 @@ def permit(*filters)
end
end

if Parameters.raise_on_unpermitted_parameters
unpermitted_keys = self.keys - params.keys
if unpermitted_keys.any?
raise ActionController::UnpermittedParameters.new(unpermitted_keys)
end
end
raise_on_unpermitted_parameters!(params)

params.permit!
end
Expand Down Expand Up @@ -336,6 +335,16 @@ def each_element(object)
yield object
end
end

def raise_on_unpermitted_parameters!(params)
if self.class.raise_on_unpermitted_parameters && unpermitted_keys(params).any?
raise ActionController::UnpermittedParameters.new(unpermitted_keys(params))
end
end

def unpermitted_keys(params)
self.keys - params.keys - NEVER_UNPERMITTED_PARAMS
end
end

# == Strong \Parameters
Expand Down
10 changes: 10 additions & 0 deletions actionpack/test/controller/parameters/raise_on_unpermitted_parameters_test.rb
View file
Expand Up @@ -30,4 +30,14 @@ def teardown
params.permit(book: [:pages])
end
end

test "action and controller keys are safe to ignore" do
params = ActionController::Parameters.new({
action: 'index', controller: 'stuff', book: { pages: 65 }
})

assert_nothing_raised do
params.permit(book: [:pages])
end
end
end

0 comments on commit ae3286b

Please sign in to comment.