fields_for_style needs to test for AC::Parameters

While iterating an AC::Parameters object, the object will mutate itself and stick AC::Parameters objects where there used to be hashes: f57092ad72/actionpack/lib/action_controller/metal/strong_parameters.rb (L632) If you use `permit` after this iteration, the `fields_for_style` method wouldn't return true because the child objects are now AC::Parameters objects rather than Hashes. fixes #23701
2022-11-09 12:12:34 -05:00 · 2016-02-17 16:12:18 -08:00 · 2016-02-17 16:12:18 -08:00 · 04b410f833
commit 04b410f833
parent f57092ad72
2 changed files with 22 additions and 1 deletions
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@ -602,7 +602,7 @@ module ActionController
      end

      def fields_for_style?
-        @parameters.all? { |k, v| k =~ /\A-?\d+\z/ && v.is_a?(Hash) }
+        @parameters.all? { |k, v| k =~ /\A-?\d+\z/ && (v.is_a?(Hash) || v.is_a?(Parameters)) }
      end

    private
--- a/actionpack/test/controller/parameters/parameters_permit_test.rb
+++ b/actionpack/test/controller/parameters/parameters_permit_test.rb
@ -27,6 +27,27 @@ class ParametersPermitTest < ActiveSupport::TestCase
    end
  end

+  def walk_permitted params
+    params.each do |k,v|
+      case v
+      when ActionController::Parameters
+        walk_permitted v
+      when Array
+        v.each { |x| walk_permitted v }
+      end
+    end
+  end
+
+  test 'iteration should not impact permit' do
+    hash = {"foo"=>{"bar"=>{"0"=>{"baz"=>"hello", "zot"=>"1"}}}}
+    params = ActionController::Parameters.new(hash)
+
+    walk_permitted params
+
+    sanitized = params[:foo].permit(bar: [:baz])
+    assert_equal({"0"=>{"baz"=>"hello"}}, sanitized[:bar].to_unsafe_h)
+  end
+
  test 'if nothing is permitted, the hash becomes empty' do
    params = ActionController::Parameters.new(id: '1234')
    permitted = params.permit