rails--rails/actionpack/test/controller/parameters/nested_parameters_test.rb

require 'abstract_unit'
require 'action_controller/metal/strong_parameters'

class NestedParametersTest < ActiveSupport::TestCase
  def assert_filtered_out(params, key)
    assert !params.has_key?(key), "key #{key.inspect} has not been filtered out"
  end

  test "permitted nested parameters" do
    params = ActionController::Parameters.new({
      book: {
        title: "Romeo and Juliet",
        authors: [{
          name: "William Shakespeare",
          born: "1564-04-26"
        }, {
          name: "Christopher Marlowe"
        }, {
          name: %w(malicious injected names)
        }],
        details: {
          pages: 200,
          genre: "Tragedy"
        },
        id: {
          isbn: 'x'
        }
      },
      magazine: "Mjallo!"
    })

    permitted = params.permit book: [ :title, { authors: [ :name ] }, { details: :pages }, :id ]

    assert permitted.permitted?
    assert_equal "Romeo and Juliet", permitted[:book][:title]
    assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
    assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
    assert_equal 200, permitted[:book][:details][:pages]

    assert_filtered_out permitted, :magazine
    assert_filtered_out permitted[:book], :id
    assert_filtered_out permitted[:book][:details], :genre
    assert_filtered_out permitted[:book][:authors][0], :born
    assert_filtered_out permitted[:book][:authors][2], :name
  end

  test "permitted nested parameters with a string or a symbol as a key" do
    params = ActionController::Parameters.new({
      book: {
        'authors' => [
          { name: 'William Shakespeare', born: '1564-04-26' },
          { name: 'Christopher Marlowe' }
        ]
      }
    })

    permitted = params.permit book: [ { 'authors' => [ :name ] } ]

    assert_equal 'William Shakespeare', permitted[:book]['authors'][0][:name]
    assert_equal 'William Shakespeare', permitted[:book][:authors][0][:name]
    assert_equal 'Christopher Marlowe', permitted[:book]['authors'][1][:name]
    assert_equal 'Christopher Marlowe', permitted[:book][:authors][1][:name]

    permitted = params.permit book: [ { authors: [ :name ] } ]

    assert_equal 'William Shakespeare', permitted[:book]['authors'][0][:name]
    assert_equal 'William Shakespeare', permitted[:book][:authors][0][:name]
    assert_equal 'Christopher Marlowe', permitted[:book]['authors'][1][:name]
    assert_equal 'Christopher Marlowe', permitted[:book][:authors][1][:name]
  end

  test "nested arrays with strings" do
    params = ActionController::Parameters.new({
      book: {
        genres: ["Tragedy"]
      }
    })

    permitted = params.permit book: {genres: []}
    assert_equal ["Tragedy"], permitted[:book][:genres]
  end

  test "permit may specify symbols or strings" do
    params = ActionController::Parameters.new({
      book: {
        title: "Romeo and Juliet",
        author: "William Shakespeare"
      },
      magazine: "Shakespeare Today"
    })

    permitted = params.permit({book: ["title", :author]}, "magazine")
    assert_equal "Romeo and Juliet", permitted[:book][:title]
    assert_equal "William Shakespeare", permitted[:book][:author]
    assert_equal "Shakespeare Today", permitted[:magazine]
  end

  test "nested array with strings that should be hashes" do
    params = ActionController::Parameters.new({
      book: {
        genres: ["Tragedy"]
      }
    })

    permitted = params.permit book: { genres: :type }
    assert_empty permitted[:book][:genres]
  end

  test "nested array with strings that should be hashes and additional values" do
    params = ActionController::Parameters.new({
      book: {
        title: "Romeo and Juliet",
        genres: ["Tragedy"]
      }
    })

    permitted = params.permit book: [ :title, { genres: :type } ]
    assert_equal "Romeo and Juliet", permitted[:book][:title]
    assert_empty permitted[:book][:genres]
  end

  test "nested string that should be a hash" do
    params = ActionController::Parameters.new({
      book: {
        genre: "Tragedy"
      }
    })

    permitted = params.permit book: { genre: :type }
    assert_nil permitted[:book][:genre]
  end

  test "fields_for-style nested params" do
    params = ActionController::Parameters.new({
      book: {
        authors_attributes: {
          :'0' => { name: 'William Shakespeare', age_of_death: '52' },
          :'1' => { name: 'Unattributed Assistant' },
          :'2' => { name: %w(injected names) }
        }
      }
    })
    permitted = params.permit book: { authors_attributes: [ :name ] }

    assert_not_nil permitted[:book][:authors_attributes]['0']
    assert_not_nil permitted[:book][:authors_attributes]['1']
    assert_empty permitted[:book][:authors_attributes]['2']
    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][:name]
    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][:name]

    assert_filtered_out permitted[:book][:authors_attributes]['0'], :age_of_death
  end

  test "fields_for-style nested params with negative numbers" do
    params = ActionController::Parameters.new({
      book: {
        authors_attributes: {
          :'-1' => { name: 'William Shakespeare', age_of_death: '52' },
          :'-2' => { name: 'Unattributed Assistant' }
        }
      }
    })
    permitted = params.permit book: { authors_attributes: [:name] }

    assert_not_nil permitted[:book][:authors_attributes]['-1']
    assert_not_nil permitted[:book][:authors_attributes]['-2']
    assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name]
    assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name]

    assert_filtered_out permitted[:book][:authors_attributes]['-1'], :age_of_death
  end

  test "nested number as key" do
    params = ActionController::Parameters.new({
      product: {
        properties: {
          '0' => "prop0",
          '1' => "prop1"
        }
      }
    })
    params = params.require(:product).permit(:properties => ["0"])
    assert_not_nil        params[:properties]["0"]
    assert_nil            params[:properties]["1"]
    assert_equal "prop0", params[:properties]["0"]
  end
end
require abstract_unit in parameters tests 2012-07-20 01:32:15 -04:00			`require 'abstract_unit'`
Integrate ActionController::Parameters from StrongParameters gem 2012-07-12 01:50:42 -04:00			`require 'action_controller/metal/strong_parameters'`

			`class NestedParametersTest < ActiveSupport::TestCase`
strong parameters filters permitted scalars 2013-01-20 11:59:53 -05:00			`def assert_filtered_out(params, key)`
			`assert !params.has_key?(key), "key #{key.inspect} has not been filtered out"`
			`end`

Integrate ActionController::Parameters from StrongParameters gem 2012-07-12 01:50:42 -04:00			`test "permitted nested parameters" do`
			`params = ActionController::Parameters.new({`
			`book: {`
			`title: "Romeo and Juliet",`
			`authors: [{`
			`name: "William Shakespeare",`
			`born: "1564-04-26"`
			`}, {`
			`name: "Christopher Marlowe"`
strong parameters filters permitted scalars 2013-01-20 11:59:53 -05:00			`}, {`
Lets kepp using Ruby 1.9 syntax 2013-01-22 07:40:33 -05:00			`name: %w(malicious injected names)`
Integrate ActionController::Parameters from StrongParameters gem 2012-07-12 01:50:42 -04:00			`}],`
			`details: {`
			`pages: 200,`
			`genre: "Tragedy"`
When executing permit with just a key that points to a hash, DO NOT allow all the hash params.require(:person).permit(:projects_attributes) was returning => {"projects_attributes"=>{"0"=>{"name"=>"Project 1"}}} When should return => {} You should be doing ... params.require(:person).permit(projects_attributes: :name) to get just the projects attributes you want to allow 2012-10-11 22:50:20 -04:00			`},`
			`id: {`
			`isbn: 'x'`
Integrate ActionController::Parameters from StrongParameters gem 2012-07-12 01:50:42 -04:00			`}`
			`},`
			`magazine: "Mjallo!"`
			`})`

When executing permit with just a key that points to a hash, DO NOT allow all the hash params.require(:person).permit(:projects_attributes) was returning => {"projects_attributes"=>{"0"=>{"name"=>"Project 1"}}} When should return => {} You should be doing ... params.require(:person).permit(projects_attributes: :name) to get just the projects attributes you want to allow 2012-10-11 22:50:20 -04:00			`permitted = params.permit book: [ :title, { authors: [ :name ] }, { details: :pages }, :id ]`
Integrate ActionController::Parameters from StrongParameters gem 2012-07-12 01:50:42 -04:00
			`assert permitted.permitted?`
			`assert_equal "Romeo and Juliet", permitted[:book][:title]`
			`assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]`
			`assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]`
			`assert_equal 200, permitted[:book][:details][:pages]`
strong parameters filters permitted scalars 2013-01-20 11:59:53 -05:00
			`assert_filtered_out permitted, :magazine`
			`assert_filtered_out permitted[:book], :id`
			`assert_filtered_out permitted[:book][:details], :genre`
			`assert_filtered_out permitted[:book][:authors][0], :born`
			`assert_filtered_out permitted[:book][:authors][2], :name`
Integrate ActionController::Parameters from StrongParameters gem 2012-07-12 01:50:42 -04:00			`end`

hash filters should be accessed with symbols or strings 2012-11-30 11:24:16 -05:00			`test "permitted nested parameters with a string or a symbol as a key" do`
			`params = ActionController::Parameters.new({`
			`book: {`
			`'authors' => [`
			`{ name: 'William Shakespeare', born: '1564-04-26' },`
			`{ name: 'Christopher Marlowe' }`
			`]`
			`}`
			`})`

			`permitted = params.permit book: [ { 'authors' => [ :name ] } ]`

			`assert_equal 'William Shakespeare', permitted[:book]['authors'][0][:name]`
			`assert_equal 'William Shakespeare', permitted[:book][:authors][0][:name]`
			`assert_equal 'Christopher Marlowe', permitted[:book]['authors'][1][:name]`
			`assert_equal 'Christopher Marlowe', permitted[:book][:authors][1][:name]`

			`permitted = params.permit book: [ { authors: [ :name ] } ]`

			`assert_equal 'William Shakespeare', permitted[:book]['authors'][0][:name]`
			`assert_equal 'William Shakespeare', permitted[:book][:authors][0][:name]`
			`assert_equal 'Christopher Marlowe', permitted[:book]['authors'][1][:name]`
			`assert_equal 'Christopher Marlowe', permitted[:book][:authors][1][:name]`
			`end`

Integrate ActionController::Parameters from StrongParameters gem 2012-07-12 01:50:42 -04:00			`test "nested arrays with strings" do`
			`params = ActionController::Parameters.new({`
Lets kepp using Ruby 1.9 syntax 2013-01-22 07:40:33 -05:00			`book: {`
			`genres: ["Tragedy"]`
Integrate ActionController::Parameters from StrongParameters gem 2012-07-12 01:50:42 -04:00			`}`
			`})`

Lets kepp using Ruby 1.9 syntax 2013-01-22 07:40:33 -05:00			`permitted = params.permit book: {genres: []}`
Integrate ActionController::Parameters from StrongParameters gem 2012-07-12 01:50:42 -04:00			`assert_equal ["Tragedy"], permitted[:book][:genres]`
			`end`

			`test "permit may specify symbols or strings" do`
			`params = ActionController::Parameters.new({`
Lets kepp using Ruby 1.9 syntax 2013-01-22 07:40:33 -05:00			`book: {`
			`title: "Romeo and Juliet",`
			`author: "William Shakespeare"`
Integrate ActionController::Parameters from StrongParameters gem 2012-07-12 01:50:42 -04:00			`},`
Lets kepp using Ruby 1.9 syntax 2013-01-22 07:40:33 -05:00			`magazine: "Shakespeare Today"`
Integrate ActionController::Parameters from StrongParameters gem 2012-07-12 01:50:42 -04:00			`})`

Lets kepp using Ruby 1.9 syntax 2013-01-22 07:40:33 -05:00			`permitted = params.permit({book: ["title", :author]}, "magazine")`
Integrate ActionController::Parameters from StrongParameters gem 2012-07-12 01:50:42 -04:00			`assert_equal "Romeo and Juliet", permitted[:book][:title]`
			`assert_equal "William Shakespeare", permitted[:book][:author]`
			`assert_equal "Shakespeare Today", permitted[:magazine]`
			`end`

			`test "nested array with strings that should be hashes" do`
			`params = ActionController::Parameters.new({`
			`book: {`
			`genres: ["Tragedy"]`
			`}`
			`})`

			`permitted = params.permit book: { genres: :type }`
			`assert_empty permitted[:book][:genres]`
			`end`

			`test "nested array with strings that should be hashes and additional values" do`
			`params = ActionController::Parameters.new({`
			`book: {`
			`title: "Romeo and Juliet",`
			`genres: ["Tragedy"]`
			`}`
			`})`

			`permitted = params.permit book: [ :title, { genres: :type } ]`
			`assert_equal "Romeo and Juliet", permitted[:book][:title]`
			`assert_empty permitted[:book][:genres]`
			`end`

			`test "nested string that should be a hash" do`
			`params = ActionController::Parameters.new({`
			`book: {`
			`genre: "Tragedy"`
			`}`
			`})`

			`permitted = params.permit book: { genre: :type }`
			`assert_nil permitted[:book][:genre]`
			`end`
Support fields_for attributes, which may have numeric symbols as hash keys 2012-09-01 03:30:07 -04:00
			`test "fields_for-style nested params" do`
			`params = ActionController::Parameters.new({`
Lets kepp using Ruby 1.9 syntax 2013-01-22 07:40:33 -05:00			`book: {`
			`authors_attributes: {`
			`:'0' => { name: 'William Shakespeare', age_of_death: '52' },`
			`:'1' => { name: 'Unattributed Assistant' },`
Make AC::Parameters not inherited from Hash This is another take at #14384 as we decided to wait until `master` is targeting Rails 5.0. This commit is implementation-complete, as it guarantees that all the public methods on the hash-inherited Parameters are still working (based on test case). We can decide to follow-up later if we want to remove some methods out from Parameters. 2015-07-13 16:43:21 -04:00			`:'2' => { name: %w(injected names) }`
Support fields_for attributes, which may have numeric symbols as hash keys 2012-09-01 03:30:07 -04:00			`}`
			`}`
			`})`
Lets kepp using Ruby 1.9 syntax 2013-01-22 07:40:33 -05:00			`permitted = params.permit book: { authors_attributes: [ :name ] }`
Support fields_for attributes, which may have numeric symbols as hash keys 2012-09-01 03:30:07 -04:00
			`assert_not_nil permitted[:book][:authors_attributes]['0']`
strong parameters filters permitted scalars 2013-01-20 11:59:53 -05:00			`assert_not_nil permitted[:book][:authors_attributes]['1']`
			`assert_empty permitted[:book][:authors_attributes]['2']`
Support fields_for attributes, which may have numeric symbols as hash keys 2012-09-01 03:30:07 -04:00			`assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['0'][:name]`
strong parameters filters permitted scalars 2013-01-20 11:59:53 -05:00			`assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['1'][:name]`

			`assert_filtered_out permitted[:book][:authors_attributes]['0'], :age_of_death`
			`end`

			`test "fields_for-style nested params with negative numbers" do`
			`params = ActionController::Parameters.new({`
Lets kepp using Ruby 1.9 syntax 2013-01-22 07:40:33 -05:00			`book: {`
			`authors_attributes: {`
			`:'-1' => { name: 'William Shakespeare', age_of_death: '52' },`
			`:'-2' => { name: 'Unattributed Assistant' }`
strong parameters filters permitted scalars 2013-01-20 11:59:53 -05:00			`}`
			`}`
			`})`
Lets kepp using Ruby 1.9 syntax 2013-01-22 07:40:33 -05:00			`permitted = params.permit book: { authors_attributes: [:name] }`
strong parameters filters permitted scalars 2013-01-20 11:59:53 -05:00
			`assert_not_nil permitted[:book][:authors_attributes]['-1']`
			`assert_not_nil permitted[:book][:authors_attributes]['-2']`
			`assert_equal 'William Shakespeare', permitted[:book][:authors_attributes]['-1'][:name]`
			`assert_equal 'Unattributed Assistant', permitted[:book][:authors_attributes]['-2'][:name]`

			`assert_filtered_out permitted[:book][:authors_attributes]['-1'], :age_of_death`
Support fields_for attributes, which may have numeric symbols as hash keys 2012-09-01 03:30:07 -04:00			`end`
Strong parameters should permit nested number as key. Closes #12293 2013-09-22 10:57:21 -04:00
			`test "nested number as key" do`
			`params = ActionController::Parameters.new({`
			`product: {`
			`properties: {`
			`'0' => "prop0",`
			`'1' => "prop1"`
			`}`
			`}`
			`})`
			`params = params.require(:product).permit(:properties => ["0"])`
			`assert_not_nil params[:properties]["0"]`
			`assert_nil params[:properties]["1"]`
			`assert_equal "prop0", params[:properties]["0"]`
			`end`
Integrate ActionController::Parameters from StrongParameters gem 2012-07-12 01:50:42 -04:00			`end`