Merge pull request #2717 from memberful/2716-splat-sanitize-params

Splat the arguments to strong_parameters#permit, fixes #2716

lib/devise/parameter_sanitizer.rb

@@ -47,19 +47,23 @@ module Devise
     end
 
     def sign_in
-      default_params.permit self.for(:sign_in)
+      permit self.for(:sign_in)
     end
 
     def sign_up
-      default_params.permit self.for(:sign_up)
+      permit self.for(:sign_up)
     end
 
     def account_update
-      default_params.permit self.for(:account_update)
+      permit self.for(:account_update)
     end
 
     private
 
+    def permit(keys)
+      default_params.permit(*Array(keys))
+    end
+
     # Change for(kind) to return the values in the @permitted
     # hash, allowing the developer to customize at runtime.
     def default_for(kind)

test/parameter_sanitizer_test.rb

@@ -68,5 +68,14 @@ if defined?(ActionController::StrongParameters)
         sanitizer.sanitize(:unknown)
       end
     end
+
+    test 'passes parameters to filter as arguments to sanitizer' do
+      params = {user: stub}
+      sanitizer = Devise::ParameterSanitizer.new(User, :user, params)
+
+      params[:user].expects(:permit).with(kind_of(Symbol), kind_of(Symbol), kind_of(Symbol))
+
+      sanitizer.sanitize(:sign_in)
+    end
   end
 end