heartcombo--devise/test/parameter_sanitizer_test.rb

require 'test_helper'
require 'devise/parameter_sanitizer'

class BaseSanitizerTest < ActiveSupport::TestCase
  def sanitizer(params)
    Devise::BaseSanitizer.new(User, :user, params)
  end

  test 'returns chosen params' do
    sanitizer = sanitizer(user: { "email" => "jose" })
    assert_equal({ "email" => "jose" }, sanitizer.sanitize(:sign_in))
  end
end

if defined?(ActionController::StrongParameters)
  require 'active_model/forbidden_attributes_protection'

  class ParameterSanitizerTest < ActiveSupport::TestCase
    def sanitizer(params)
      params = ActionController::Parameters.new(params)
      Devise::ParameterSanitizer.new(User, :user, params)
    end

    test 'filters some parameters on sign in by default' do
      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid", "remember_me" => "1" })
      assert_equal({ "email" => "jose", "password" => "invalid", "remember_me" => "1" }, sanitizer.sanitize(:sign_in))
    end

    test 'handles auth keys as a hash' do
      swap Devise, authentication_keys: {email: true} do
        sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
        assert_equal({ "email" => "jose", "password" => "invalid" }, sanitizer.sanitize(:sign_in))
      end
    end

    test 'filters some parameters on sign up by default' do
      sanitizer = sanitizer(user: { "email" => "jose", "role" => "invalid" })
      assert_equal({ "email" => "jose" }, sanitizer.sanitize(:sign_up))
    end

    test 'filters some parameters on account update by default' do
      sanitizer = sanitizer(user: { "email" => "jose", "role" => "invalid" })
      assert_equal({ "email" => "jose" }, sanitizer.sanitize(:account_update))
    end

    test 'allows custom hooks' do
      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
      sanitizer.for(:sign_in) { |user| user.permit(:email, :password) }
      assert_equal({ "email" => "jose", "password" => "invalid" }, sanitizer.sanitize(:sign_in))
    end

    test 'adding multiple permitted parameters' do
      sanitizer = sanitizer(user: { "email" => "jose", "username" => "jose1", "role" => "valid" })
      sanitizer.for(:sign_in).concat([:username, :role])
      assert_equal({ "email" => "jose", "username" => "jose1", "role" => "valid" }, sanitizer.sanitize(:sign_in))
    end

    test 'removing multiple default parameters' do
      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid", "remember_me" => "1" })
      sanitizer.for(:sign_in).delete(:email)
      sanitizer.for(:sign_in).delete(:password)
      assert_equal({ "remember_me" => "1" }, sanitizer.sanitize(:sign_in))
    end

    test 'raises on unknown hooks' do
      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
      assert_raise NotImplementedError do
        sanitizer.sanitize(:unknown)
      end
    end

    test 'passes parameters to filter as arguments to sanitizer' do
      params = {user: stub}
      sanitizer = Devise::ParameterSanitizer.new(User, :user, params)

      params[:user].expects(:permit).with(kind_of(Symbol), kind_of(Symbol), kind_of(Symbol))

      sanitizer.sanitize(:sign_in)
    end
  end
end
Add support for Rails 4 strong_parameters This brings support for Rails 4 StrongParameters changes. - Parameter sanitizing is setup for Devise controllers via resource_params except Omniauth Callbacks which doesn't use resource_params. - Change #build_resource to not call resource_params for get requests. Parameter sanitizing is only needed when params are posted to the server so there's no need to try to construct resource params on get requests (new, edit). 2013-03-13 12:37:54 -04:00			`require 'test_helper'`
Introduce BaseSanitizer null sanitizer and controller-specific callbacks This updates Devise's StrongParameter support to feature: - A Null base sanitizer to support existing Rails 3.x installations that don't want to use StrongParameters yet - A new, simpler API for ParameterSanitizer: #permit, #permit!, and #forbid - Overrideable callbacks on a controller-basis, e.g. #create_sessions_params for passing the current scope's parameters through StrongParameters and a helper method, whitelisted_params, for rolling your own implementations of #create_x_params in your own controllers. - Lots of tests! 2013-04-10 11:33:50 -04:00			`require 'devise/parameter_sanitizer'`
Add support for Rails 4 strong_parameters This brings support for Rails 4 StrongParameters changes. - Parameter sanitizing is setup for Devise controllers via resource_params except Omniauth Callbacks which doesn't use resource_params. - Change #build_resource to not call resource_params for get requests. Parameter sanitizing is only needed when params are posted to the server so there's no need to try to construct resource params on get requests (new, edit). 2013-03-13 12:37:54 -04:00
Introduce BaseSanitizer null sanitizer and controller-specific callbacks This updates Devise's StrongParameter support to feature: - A Null base sanitizer to support existing Rails 3.x installations that don't want to use StrongParameters yet - A new, simpler API for ParameterSanitizer: #permit, #permit!, and #forbid - Overrideable callbacks on a controller-basis, e.g. #create_sessions_params for passing the current scope's parameters through StrongParameters and a helper method, whitelisted_params, for rolling your own implementations of #create_x_params in your own controllers. - Lots of tests! 2013-04-10 11:33:50 -04:00			`class BaseSanitizerTest < ActiveSupport::TestCase`
Simplify parameter sanitization proposal 2013-08-11 16:18:29 -04:00			`def sanitizer(params)`
			`Devise::BaseSanitizer.new(User, :user, params)`
Add support for Rails 4 strong_parameters This brings support for Rails 4 StrongParameters changes. - Parameter sanitizing is setup for Devise controllers via resource_params except Omniauth Callbacks which doesn't use resource_params. - Change #build_resource to not call resource_params for get requests. Parameter sanitizing is only needed when params are posted to the server so there's no need to try to construct resource params on get requests (new, edit). 2013-03-13 12:37:54 -04:00			`end`

Clean up Devise parameter sanitizer 2013-04-14 02:21:46 -04:00			`test 'returns chosen params' do`
Simplify parameter sanitization proposal 2013-08-11 16:18:29 -04:00			`sanitizer = sanitizer(user: { "email" => "jose" })`
			`assert_equal({ "email" => "jose" }, sanitizer.sanitize(:sign_in))`
			`end`
Introduce BaseSanitizer null sanitizer and controller-specific callbacks This updates Devise's StrongParameter support to feature: - A Null base sanitizer to support existing Rails 3.x installations that don't want to use StrongParameters yet - A new, simpler API for ParameterSanitizer: #permit, #permit!, and #forbid - Overrideable callbacks on a controller-basis, e.g. #create_sessions_params for passing the current scope's parameters through StrongParameters and a helper method, whitelisted_params, for rolling your own implementations of #create_x_params in your own controllers. - Lots of tests! 2013-04-10 11:33:50 -04:00			`end`
Add support for Rails 4 strong_parameters This brings support for Rails 4 StrongParameters changes. - Parameter sanitizing is setup for Devise controllers via resource_params except Omniauth Callbacks which doesn't use resource_params. - Change #build_resource to not call resource_params for get requests. Parameter sanitizing is only needed when params are posted to the server so there's no need to try to construct resource params on get requests (new, edit). 2013-03-13 12:37:54 -04:00
Introduce BaseSanitizer null sanitizer and controller-specific callbacks This updates Devise's StrongParameter support to feature: - A Null base sanitizer to support existing Rails 3.x installations that don't want to use StrongParameters yet - A new, simpler API for ParameterSanitizer: #permit, #permit!, and #forbid - Overrideable callbacks on a controller-basis, e.g. #create_sessions_params for passing the current scope's parameters through StrongParameters and a helper method, whitelisted_params, for rolling your own implementations of #create_x_params in your own controllers. - Lots of tests! 2013-04-10 11:33:50 -04:00			`if defined?(ActionController::StrongParameters)`
			`require 'active_model/forbidden_attributes_protection'`
Add support for Rails 4 strong_parameters This brings support for Rails 4 StrongParameters changes. - Parameter sanitizing is setup for Devise controllers via resource_params except Omniauth Callbacks which doesn't use resource_params. - Change #build_resource to not call resource_params for get requests. Parameter sanitizing is only needed when params are posted to the server so there's no need to try to construct resource params on get requests (new, edit). 2013-03-13 12:37:54 -04:00
Introduce BaseSanitizer null sanitizer and controller-specific callbacks This updates Devise's StrongParameter support to feature: - A Null base sanitizer to support existing Rails 3.x installations that don't want to use StrongParameters yet - A new, simpler API for ParameterSanitizer: #permit, #permit!, and #forbid - Overrideable callbacks on a controller-basis, e.g. #create_sessions_params for passing the current scope's parameters through StrongParameters and a helper method, whitelisted_params, for rolling your own implementations of #create_x_params in your own controllers. - Lots of tests! 2013-04-10 11:33:50 -04:00			`class ParameterSanitizerTest < ActiveSupport::TestCase`
Clean up Devise parameter sanitizer 2013-04-14 02:21:46 -04:00			`def sanitizer(params)`
			`params = ActionController::Parameters.new(params)`
			`Devise::ParameterSanitizer.new(User, :user, params)`
Introduce BaseSanitizer null sanitizer and controller-specific callbacks This updates Devise's StrongParameter support to feature: - A Null base sanitizer to support existing Rails 3.x installations that don't want to use StrongParameters yet - A new, simpler API for ParameterSanitizer: #permit, #permit!, and #forbid - Overrideable callbacks on a controller-basis, e.g. #create_sessions_params for passing the current scope's parameters through StrongParameters and a helper method, whitelisted_params, for rolling your own implementations of #create_x_params in your own controllers. - Lots of tests! 2013-04-10 11:33:50 -04:00			`end`
Add support for Rails 4 strong_parameters This brings support for Rails 4 StrongParameters changes. - Parameter sanitizing is setup for Devise controllers via resource_params except Omniauth Callbacks which doesn't use resource_params. - Change #build_resource to not call resource_params for get requests. Parameter sanitizing is only needed when params are posted to the server so there's no need to try to construct resource params on get requests (new, edit). 2013-03-13 12:37:54 -04:00
Clean up Devise parameter sanitizer 2013-04-14 02:21:46 -04:00			`test 'filters some parameters on sign in by default' do`
add remember_me to the permitted sign_in params 2013-07-12 15:14:32 -04:00			`sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid", "remember_me" => "1" })`
Simplify parameter sanitization proposal 2013-08-11 16:18:29 -04:00			`assert_equal({ "email" => "jose", "password" => "invalid", "remember_me" => "1" }, sanitizer.sanitize(:sign_in))`
Fix improper login param sanitization permit This includes a failing test case that hooks into ActiveSupport Notifications to catch the param permit error. 2013-06-25 14:44:39 -04:00			`end`

			`test 'handles auth keys as a hash' do`
Updated ruby 1.9 hash syntax 2014-02-25 11:42:55 -05:00			`swap Devise, authentication_keys: {email: true} do`
Fix improper login param sanitization permit This includes a failing test case that hooks into ActiveSupport Notifications to catch the param permit error. 2013-06-25 14:44:39 -04:00			`sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })`
Simplify parameter sanitization proposal 2013-08-11 16:18:29 -04:00			`assert_equal({ "email" => "jose", "password" => "invalid" }, sanitizer.sanitize(:sign_in))`
Fix improper login param sanitization permit This includes a failing test case that hooks into ActiveSupport Notifications to catch the param permit error. 2013-06-25 14:44:39 -04:00			`end`
Introduce BaseSanitizer null sanitizer and controller-specific callbacks This updates Devise's StrongParameter support to feature: - A Null base sanitizer to support existing Rails 3.x installations that don't want to use StrongParameters yet - A new, simpler API for ParameterSanitizer: #permit, #permit!, and #forbid - Overrideable callbacks on a controller-basis, e.g. #create_sessions_params for passing the current scope's parameters through StrongParameters and a helper method, whitelisted_params, for rolling your own implementations of #create_x_params in your own controllers. - Lots of tests! 2013-04-10 11:33:50 -04:00			`end`

Clean up Devise parameter sanitizer 2013-04-14 02:21:46 -04:00			`test 'filters some parameters on sign up by default' do`
			`sanitizer = sanitizer(user: { "email" => "jose", "role" => "invalid" })`
Simplify parameter sanitization proposal 2013-08-11 16:18:29 -04:00			`assert_equal({ "email" => "jose" }, sanitizer.sanitize(:sign_up))`
Introduce BaseSanitizer null sanitizer and controller-specific callbacks This updates Devise's StrongParameter support to feature: - A Null base sanitizer to support existing Rails 3.x installations that don't want to use StrongParameters yet - A new, simpler API for ParameterSanitizer: #permit, #permit!, and #forbid - Overrideable callbacks on a controller-basis, e.g. #create_sessions_params for passing the current scope's parameters through StrongParameters and a helper method, whitelisted_params, for rolling your own implementations of #create_x_params in your own controllers. - Lots of tests! 2013-04-10 11:33:50 -04:00			`end`

Clean up Devise parameter sanitizer 2013-04-14 02:21:46 -04:00			`test 'filters some parameters on account update by default' do`
			`sanitizer = sanitizer(user: { "email" => "jose", "role" => "invalid" })`
Simplify parameter sanitization proposal 2013-08-11 16:18:29 -04:00			`assert_equal({ "email" => "jose" }, sanitizer.sanitize(:account_update))`
Introduce BaseSanitizer null sanitizer and controller-specific callbacks This updates Devise's StrongParameter support to feature: - A Null base sanitizer to support existing Rails 3.x installations that don't want to use StrongParameters yet - A new, simpler API for ParameterSanitizer: #permit, #permit!, and #forbid - Overrideable callbacks on a controller-basis, e.g. #create_sessions_params for passing the current scope's parameters through StrongParameters and a helper method, whitelisted_params, for rolling your own implementations of #create_x_params in your own controllers. - Lots of tests! 2013-04-10 11:33:50 -04:00			`end`

Clean up Devise parameter sanitizer 2013-04-14 02:21:46 -04:00			`test 'allows custom hooks' do`
			`sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })`
			`sanitizer.for(:sign_in) { \|user\| user.permit(:email, :password) }`
Simplify parameter sanitization proposal 2013-08-11 16:18:29 -04:00			`assert_equal({ "email" => "jose", "password" => "invalid" }, sanitizer.sanitize(:sign_in))`
Extend params sanitizer, to make it easier to add/remove permitted params - Move the default permitted parameters into ParameterSanitizer::PermittedParameters - Add devise_permitted_parameters helper - devise_permitted_parameters.add to add permitted parameters - devise_permitted_parameters.remove to remove Devise's defaults - devise_permitted_parameters.for to access the parameters for a given action - Update 'Strong Parameters' section of README Signed-off-by: José Valim <jose.valim@plataformatec.com.br> 2013-08-11 14:47:18 -04:00			`end`

			`test 'adding multiple permitted parameters' do`
			`sanitizer = sanitizer(user: { "email" => "jose", "username" => "jose1", "role" => "valid" })`
Simplify parameter sanitization proposal 2013-08-11 16:18:29 -04:00			`sanitizer.for(:sign_in).concat([:username, :role])`
			`assert_equal({ "email" => "jose", "username" => "jose1", "role" => "valid" }, sanitizer.sanitize(:sign_in))`
Extend params sanitizer, to make it easier to add/remove permitted params - Move the default permitted parameters into ParameterSanitizer::PermittedParameters - Add devise_permitted_parameters helper - devise_permitted_parameters.add to add permitted parameters - devise_permitted_parameters.remove to remove Devise's defaults - devise_permitted_parameters.for to access the parameters for a given action - Update 'Strong Parameters' section of README Signed-off-by: José Valim <jose.valim@plataformatec.com.br> 2013-08-11 14:47:18 -04:00			`end`

			`test 'removing multiple default parameters' do`
			`sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid", "remember_me" => "1" })`
Simplify parameter sanitization proposal 2013-08-11 16:18:29 -04:00			`sanitizer.for(:sign_in).delete(:email)`
			`sanitizer.for(:sign_in).delete(:password)`
			`assert_equal({ "remember_me" => "1" }, sanitizer.sanitize(:sign_in))`
Extend params sanitizer, to make it easier to add/remove permitted params - Move the default permitted parameters into ParameterSanitizer::PermittedParameters - Add devise_permitted_parameters helper - devise_permitted_parameters.add to add permitted parameters - devise_permitted_parameters.remove to remove Devise's defaults - devise_permitted_parameters.for to access the parameters for a given action - Update 'Strong Parameters' section of README Signed-off-by: José Valim <jose.valim@plataformatec.com.br> 2013-08-11 14:47:18 -04:00			`end`

Clean up Devise parameter sanitizer 2013-04-14 02:21:46 -04:00			`test 'raises on unknown hooks' do`
			`sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })`
			`assert_raise NotImplementedError do`
Simplify parameter sanitization proposal 2013-08-11 16:18:29 -04:00			`sanitizer.sanitize(:unknown)`
Introduce BaseSanitizer null sanitizer and controller-specific callbacks This updates Devise's StrongParameter support to feature: - A Null base sanitizer to support existing Rails 3.x installations that don't want to use StrongParameters yet - A new, simpler API for ParameterSanitizer: #permit, #permit!, and #forbid - Overrideable callbacks on a controller-basis, e.g. #create_sessions_params for passing the current scope's parameters through StrongParameters and a helper method, whitelisted_params, for rolling your own implementations of #create_x_params in your own controllers. - Lots of tests! 2013-04-10 11:33:50 -04:00			`end`
			`end`
Merge pull request #2717 from memberful/2716-splat-sanitize-params Splat the arguments to strong_parameters#permit, fixes #2716 2013-10-31 09:38:30 -04:00
			`test 'passes parameters to filter as arguments to sanitizer' do`
			`params = {user: stub}`
			`sanitizer = Devise::ParameterSanitizer.new(User, :user, params)`

			`params[:user].expects(:permit).with(kind_of(Symbol), kind_of(Symbol), kind_of(Symbol))`

			`sanitizer.sanitize(:sign_in)`
			`end`
Add support for Rails 4 strong_parameters This brings support for Rails 4 StrongParameters changes. - Parameter sanitizing is setup for Devise controllers via resource_params except Omniauth Callbacks which doesn't use resource_params. - Change #build_resource to not call resource_params for get requests. Parameter sanitizing is only needed when params are posted to the server so there's no need to try to construct resource params on get requests (new, edit). 2013-03-13 12:37:54 -04:00			`end`
			`end`