Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

generated URL helpers should accept AC::Parameters as an argument. #22832

Closed
jcoyne opened this issue Dec 29, 2015 · 7 comments
Closed

generated URL helpers should accept AC::Parameters as an argument. #22832

jcoyne opened this issue Dec 29, 2015 · 7 comments
Labels
actionpack
Milestone
5.0.0

Comments

@jcoyne
Copy link
Contributor

jcoyne commented Dec 29, 2015

In 5.0.0.beta1

opts = { foo: 'bar' }
=> {:foo=>"bar"}
Rails.application.routes.url_helpers.root_path(opts)
=> "/?foo=bar"

parameters = ActionController::Parameters.new(foo: 'bar')
=> {"foo"=>"bar"}
parameters.permit!
=> {"foo"=>"bar"}
Rails.application.routes.url_helpers.root_path(parameters)
=> "/"
Rails.application.routes.url_helpers.root_path(parameters.to_h)
=> "/?foo=bar"

I don't think we should expect the same behavior from the last two invocations of the route helper.
@rafaelfranca rafaelfranca added this to the 5.0.0 milestone Dec 29, 2015
@jcoyne
Copy link
Contributor Author

jcoyne commented Dec 29, 2015

I now wonder where the non-parameter arguments to route helpers (i.e. only_path: true) should go? A second argument? Like this?

Rails.application.routes.url_helpers.root_url(parameters, only_path: true)

@jcoyne
Copy link
Contributor Author

jcoyne commented Dec 30, 2015

I don't think this is something that necessarily has to be fixed. I just seemed a bit odd. I'll close. Reopen if you think it's important.

@jcoyne jcoyne closed this as completed Dec 30, 2015
@rafaelfranca
Copy link
Member

In fact it should raise an exception like we do in others case. It seems to be a missing case of #20797

@rafaelfranca rafaelfranca reopened this Dec 30, 2015
@prathamesh-sonpatki
Copy link
Member

@rafaelfranca Do you mean without calling parameters.permit!, if we call Rails.application.routes.url_helpers.root_path(parameters) it should raise error?

@rafaelfranca
Copy link
Member

Yes. We expect users to filter the parameters before passing to url helpers.

@prathamesh-sonpatki prathamesh-sonpatki mentioned this issue Jan 3, 2016
Merged
prathamesh-sonpatki added a commit to prathamesh-sonpatki/rails that referenced this issue Jan 7, 2016
@prathamesh-sonpatki
Allow AC::Parameters as an argument to url_helpers
a310785 
- Earlier only Hash was allowed as params argument to url_helpers.
- Now ActionController::Parameters instances will also be allowed.
- If the params are not secured then it will raise an ArgumentError to
  indicate that constructing URLs with non-secure params is not recommended.
- Fixes rails#22832.
@maletor
Copy link
Contributor

maletor commented Jan 13, 2017
edited

Yes. We expect users to filter the parameters before passing to url helpers.

@rafaelfranca, really? This doesn't seem like a sane default. Why should the user's application be responsible for maintaining the list of special options that change the URL.

There are people upgrading rails 4 to 5 that have root_url(params) that will change that to root_url(params.permit!) or root_url(params.to_unsafe_h).

Every app should convert that to

def safe_params
  params.except(:host, :port, :protocol, :subdomain, :etc).to_unsafe_h
end

Is it unreasonable for safe_params to be part of the rails API?

@maletor
Copy link
Contributor

maletor commented Jan 13, 2017

Also, ActionController::Parameters to_unsafe_h will always return a string for Hash keys and url_for requires symbols to override the dangerous stuff like :host so in the end the whole thing is kinda moot, don't you think.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
actionpack
Projects
None yet
Milestone
5.0.0
Development

No branches or pull requests
4 participants
@rafaelfranca @jcoyne @maletor @prathamesh-sonpatki