Added ability to raise or log on unpermitted params.

2022-11-09 12:12:34 -05:00 · 2013-01-19 22:20:13 +08:00 · 2013-01-19 22:20:13 +08:00 · 130370b1c8
commit 130370b1c8
parent 0d65969e68
4 changed files with 117 additions and 6 deletions
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@ -19,6 +19,20 @@ module ActionController
    end
  end

+  # Raised when a supplied parameter is not expected.
+  #
+  #   params = ActionController::Parameters.new(a: "123", b: "456")
+  #   params.permit(:c)
+  #   # => ActionController::UnexpectedParameter: found unexpected keys: a, b
+  class UnexpectedParameters < IndexError
+    attr_reader :params
+
+    def initialize(params)
+      @params = params
+      super("found unpermitted parameters: #{params.join(", ")}")
+    end
+  end
+
  # == Action Controller \Parameters
  #
  # Allows to choose which attributes should be whitelisted for mass updating
@ -65,6 +79,7 @@ module ActionController
  #   params["key"] # => "value"
  class Parameters < ActiveSupport::HashWithIndifferentAccess
    cattr_accessor :permit_all_parameters, instance_accessor: false
+    cattr_accessor :action_on_unpermitted, instance_accessor: false

    # Returns a new instance of <tt>ActionController::Parameters</tt>.
    # Also, sets the +permitted+ attribute to the default value of
@ -222,6 +237,16 @@ module ActionController
        end
      end

+      unpermitted_keys = self.keys - params.keys
+      if unpermitted_keys.any?
+        case self.class.action_on_unpermitted
+        when :log
+          ActionController::Base.logger.debug "Unpermitted parameters: #{unpermitted_keys.join(", ")}"
+        when :raise
+          raise ActionController::UnexpectedParameters.new(unpermitted_keys)
+        end
+      end
+      
      params.permit!
    end

--- a/actionpack/lib/action_controller/railtie.rb
+++ b/actionpack/lib/action_controller/railtie.rb
@ -21,21 +21,24 @@ module ActionController

    initializer "action_controller.parameters_config" do |app|
      ActionController::Parameters.permit_all_parameters = app.config.action_controller.delete(:permit_all_parameters) { false }
+      ActionController::Parameters.action_on_unpermitted = app.config.action_controller.action_on_unpermitted_params
    end

    initializer "action_controller.set_configs" do |app|
      paths   = app.config.paths
      options = app.config.action_controller

-      options.logger               ||= Rails.logger
-      options.cache_store          ||= Rails.cache
+      options.logger                        ||= Rails.logger
+      options.cache_store                   ||= Rails.cache

-      options.javascripts_dir      ||= paths["public/javascripts"].first
-      options.stylesheets_dir      ||= paths["public/stylesheets"].first
+      options.javascripts_dir               ||= paths["public/javascripts"].first
+      options.stylesheets_dir               ||= paths["public/stylesheets"].first

      # Ensure readers methods get compiled
-      options.asset_host           ||= app.config.asset_host
-      options.relative_url_root    ||= app.config.relative_url_root
+      options.asset_host                    ||= app.config.asset_host
+      options.relative_url_root             ||= app.config.relative_url_root
+
+      options.action_on_unpermitted_params  ||= (Rails.env.test? || Rails.env.development?) ? :log : false

      ActiveSupport.on_load(:action_controller) do
        include app.routes.mounted_helpers
--- a/actionpack/test/controller/parameters/log_on_unpermitted_params_test.rb
+++ b/actionpack/test/controller/parameters/log_on_unpermitted_params_test.rb
@ -0,0 +1,50 @@
+require 'abstract_unit'
+require 'action_controller/metal/strong_parameters'
+
+class LogOnUnpermittedParamsTest < ActiveSupport::TestCase
+  def setup
+    ActionController::Parameters.action_on_unpermitted = :log
+  end
+
+  def teardown
+    ActionController::Parameters.action_on_unpermitted = false
+  end
+
+  test "logs on unexpected params" do
+    params = ActionController::Parameters.new({
+      book: { pages: 65 },
+      fishing: "Turnips"
+    })
+
+    assert_logged("Unpermitted parameters: fishing") do
+      params.permit(book: [:pages])
+    end
+  end
+
+  test "logs on unexpected nested params" do
+    params = ActionController::Parameters.new({
+      book: { pages: 65, title: "Green Cats and where to find then." }
+    })
+
+    assert_logged("Unpermitted parameters: title") do
+      params.permit(book: [:pages])
+    end
+  end
+
+  private
+
+  def assert_logged(message)
+    old_logger = ActionController::Base.logger
+    log = StringIO.new
+    ActionController::Base.logger = Logger.new(log)
+
+    begin
+      yield
+
+      log.rewind
+      assert_match message, log.read
+    ensure
+      ActionController::Base.logger = old_logger
+    end
+  end
+end
--- a/actionpack/test/controller/parameters/raise_on_unpermitted_params_test.rb
+++ b/actionpack/test/controller/parameters/raise_on_unpermitted_params_test.rb
@ -0,0 +1,33 @@
+require 'abstract_unit'
+require 'action_controller/metal/strong_parameters'
+
+class RaiseOnUnpermittedParamsTest < ActiveSupport::TestCase
+  def setup
+    ActionController::Parameters.action_on_unpermitted = :raise
+  end
+
+  def teardown
+    ActionController::Parameters.action_on_unpermitted = false
+  end
+
+  test "raises on unexpected params" do
+    params = ActionController::Parameters.new({
+      book: { pages: 65 },
+      fishing: "Turnips"
+    })
+
+    assert_raises(ActionController::UnexpectedParameters) do
+      params.permit(book: [:pages])
+    end
+  end
+
+  test "raises on unexpected nested params" do
+    params = ActionController::Parameters.new({
+      book: { pages: 65, title: "Green Cats and where to find then." }
+    })
+
+    assert_raises(ActionController::UnexpectedParameters) do
+      params.permit(book: [:pages])
+    end
+  end
+end