Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge pull request #85 from thomasfedb/raise_or_log_unpermitted_params

Raise or log with when unpermitted params are provided. Ported from rails.
  • Loading branch information...
commit ae3826f339509638b2b31f608c3eeb3136946aa8 2 parents 4c21c67 + 11332b9
@rafaelfranca rafaelfranca authored
View
6 README.rdoc
@@ -51,6 +51,12 @@ You can also use permit on nested parameters, like:
Thanks to Nick Kallen for the permit idea!
+== Handling of Unpermitted Keys
+
+By default parameter keys that are not explicitly permitted will be logged in the development and test environment. In other environments these parameters will simply be filtered out and ignored.
+
+Additionally, this behaviour can be changed by changing the +config.action_controller.action_on_unpermitted_parameters+ property in your environment files. If set to +:log+ the unpermitted attributes will be logged, if set to +:raise+ an exception will be raised.
+
== Installation
In Gemfile:
View
35 lib/action_controller/parameters.rb
@@ -16,10 +16,24 @@ def initialize(param)
end
end
+ class UnpermittedParameters < IndexError
+ attr_reader :params
+
+ def initialize(params)
+ @params = params
+ super("found unpermitted parameters: #{params.join(", ")}")
+ end
+ end
class Parameters < ActiveSupport::HashWithIndifferentAccess
attr_accessor :permitted
alias :permitted? :permitted
+
+ cattr_accessor :action_on_unpermitted_parameters, :instance_accessor => false
+
+ # Never raise an UnpermittedParameters exception because of these params
+ # are present. They are added by Rails and it's of no concern.
+ NEVER_UNPERMITTED_PARAMS = %w( controller action )
def initialize(attributes = nil)
super(attributes)
@@ -54,6 +68,8 @@ def permit(*filters)
end
end
+ unpermitted_parameters!(params) if self.class.action_on_unpermitted_parameters
+
params.permit!
end
@@ -189,6 +205,25 @@ def each_element(value)
yield value
end
end
+
+ def unpermitted_parameters!(params)
+ return unless self.class.action_on_unpermitted_parameters
+
+ unpermitted_keys = unpermitted_keys(params)
+
+ if unpermitted_keys.any?
+ case self.class.action_on_unpermitted_parameters
+ when :log
+ ActionController::Base.logger.debug "Unpermitted parameters: #{unpermitted_keys.join(", ")}"
+ when :raise
+ raise ActionController::UnpermittedParameters.new(unpermitted_keys)
+ end
+ end
+ end
+
+ def unpermitted_keys(params)
+ self.keys - params.keys - NEVER_UNPERMITTED_PARAMS
+ end
end
module StrongParameters
View
6 lib/strong_parameters/railtie.rb
@@ -7,5 +7,11 @@ class Railtie < ::Rails::Railtie
else
config.generators.scaffold_controller = :strong_parameters_controller
end
+
+ initializer "strong_parameters.config", :before => "active_controller.set_configs" do |app|

This cannot work with rails 3.2. See the fix in #88

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ ActionController::Parameters.action_on_unpermitted_parameters = options.delete(:action_on_unpermitted_parameters) do
+ (Rails.env.test? || Rails.env.development?) ? :log : false
+ end
+ end
end
end
View
50 test/log_on_unpermitted_params_test.rb
@@ -0,0 +1,50 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class LogOnUnpermittedParamsTest < ActiveSupport::TestCase
+ def setup
+ ActionController::Parameters.action_on_unpermitted_parameters = :log
+ end
+
+ def teardown
+ ActionController::Parameters.action_on_unpermitted_parameters = false
+ end
+
+ test "logs on unexpected params" do
+ params = ActionController::Parameters.new({
+ :book => { :pages => 65 },
+ :fishing => "Turnips"
+ })
+
+ assert_logged("Unpermitted parameters: fishing") do
+ params.permit(:book => [:pages])
+ end
+ end
+
+ test "logs on unexpected nested params" do
+ params = ActionController::Parameters.new({
+ :book => { :pages => 65, :title => "Green Cats and where to find then." }
+ })
+
+ assert_logged("Unpermitted parameters: title") do
+ params.permit(:book => [:pages])
+ end
+ end
+
+ private
+
+ def assert_logged(message)
+ old_logger = ActionController::Base.logger
+ log = StringIO.new
+ ActionController::Base.logger = Logger.new(log)
+
+ begin
+ yield
+
+ log.rewind
+ assert_match message, log.read
+ ensure
+ ActionController::Base.logger = old_logger
+ end
+ end
+end
View
33 test/raise_on_unpermitted_params_test.rb
@@ -0,0 +1,33 @@
+require 'test_helper'
+require 'action_controller/parameters'
+
+class RaiseOnUnpermittedParamsTest < ActiveSupport::TestCase
+ def setup
+ ActionController::Parameters.action_on_unpermitted_parameters = :raise
+ end
+
+ def teardown
+ ActionController::Parameters.action_on_unpermitted_parameters = false
+ end
+
+ test "raises on unexpected params" do
+ params = ActionController::Parameters.new({
+ :book => { :pages => 65 },
+ :fishing => "Turnips"
+ })
+
+ assert_raises(ActionController::UnpermittedParameters) do
+ params.permit(:book => [:pages])
+ end
+ end
+
+ test "raises on unexpected nested params" do
+ params = ActionController::Parameters.new({
+ :book => { :pages => 65, :title => "Green Cats and where to find then." }
+ })
+
+ assert_raises(ActionController::UnpermittedParameters) do
+ params.permit(:book => [:pages])
+ end
+ end
+end
View
8 test/test_helper.rb
@@ -2,6 +2,13 @@
ENV["RAILS_ENV"] = "test"
require 'test/unit'
+require 'rails'
+
+class FakeApplication < Rails::Application; end
+
+Rails.application = FakeApplication
+Rails.configuration.action_controller = ActiveSupport::OrderedOptions.new
+
require 'strong_parameters'
require 'mocha'
@@ -23,6 +30,7 @@ class ActionController::TestCase
end
end
+ActionController::Parameters.action_on_unpermitted_parameters = false
# Load support files
Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each { |f| require f }
Please sign in to comment.
Something went wrong with that request. Please try again.