mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Add config.action_controller.permit_all_attributes to bypass StrongParameters protection
This commit is contained in:
parent
1e1bee3ab9
commit
1aaf4490b2
5 changed files with 43 additions and 1 deletions
|
@ -2,6 +2,7 @@ require 'active_support/rails'
|
|||
require 'abstract_controller'
|
||||
require 'action_dispatch'
|
||||
require 'action_controller/metal/live'
|
||||
require 'action_controller/metal/strong_parameters'
|
||||
|
||||
module ActionController
|
||||
extend ActiveSupport::Autoload
|
||||
|
|
|
@ -13,12 +13,13 @@ module ActionController
|
|||
end
|
||||
|
||||
class Parameters < ActiveSupport::HashWithIndifferentAccess
|
||||
cattr_accessor :permit_all_parameters, instance_accessor: false
|
||||
attr_accessor :permitted
|
||||
alias :permitted? :permitted
|
||||
|
||||
def initialize(attributes = nil)
|
||||
super(attributes)
|
||||
@permitted = false
|
||||
@permitted = self.class.permit_all_parameters
|
||||
end
|
||||
|
||||
def permit!
|
||||
|
|
|
@ -19,6 +19,10 @@ module ActionController
|
|||
ActionController::Helpers.helpers_path = app.helpers_paths
|
||||
end
|
||||
|
||||
initializer "action_controller.parameters_config" do |app|
|
||||
ActionController::Parameters.permit_all_parameters = app.config.action_controller.delete(:permit_all_parameters)
|
||||
end
|
||||
|
||||
initializer "action_controller.set_configs" do |app|
|
||||
paths = app.config.paths
|
||||
options = app.config.action_controller
|
||||
|
|
|
@ -56,4 +56,18 @@ class ParametersPermitTest < ActiveSupport::TestCase
|
|||
@params.permit!
|
||||
assert_equal @params.permitted?, @params.dup.permitted?
|
||||
end
|
||||
|
||||
test "permitted takes a default value when Parameters.permit_all_parameters is set" do
|
||||
begin
|
||||
ActionController::Parameters.permit_all_parameters = true
|
||||
params = ActionController::Parameters.new({ person: {
|
||||
age: "32", name: { first: "David", last: "Heinemeier Hansson" }
|
||||
}})
|
||||
|
||||
assert params.slice(:person).permitted?
|
||||
assert params[:person][:name].permitted?
|
||||
ensure
|
||||
ActionController::Parameters.permit_all_parameters = false
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -560,6 +560,28 @@ module ApplicationTests
|
|||
assert_equal '{"title"=>"foo"}', last_response.body
|
||||
end
|
||||
|
||||
test "config.action_controller.permit_all_parameters = true" do
|
||||
app_file 'app/controllers/posts_controller.rb', <<-RUBY
|
||||
class PostsController < ActionController::Base
|
||||
def create
|
||||
render :text => params[:post].permitted? ? "permitted" : "forbidden"
|
||||
end
|
||||
end
|
||||
RUBY
|
||||
|
||||
add_to_config <<-RUBY
|
||||
routes.prepend do
|
||||
resources :posts
|
||||
end
|
||||
config.action_controller.permit_all_parameters = true
|
||||
RUBY
|
||||
|
||||
require "#{app_path}/config/environment"
|
||||
|
||||
post "/posts", {:post => {"title" =>"zomg"}}
|
||||
assert_equal 'permitted', last_response.body
|
||||
end
|
||||
|
||||
test "config.action_dispatch.ignore_accept_header" do
|
||||
make_basic_app do |app|
|
||||
app.config.action_dispatch.ignore_accept_header = true
|
||||
|
|
Loading…
Reference in a new issue