mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Merge pull request #22903 from prathamesh-sonpatki/allow-ac-parameters-hash-as-an-argument-to-routes
Allow AC::Parameters as an argument to url_helpers
This commit is contained in:
commit
21dd85f1ee
3 changed files with 40 additions and 2 deletions
|
@ -1,3 +1,11 @@
|
|||
* Allow `ActionController::Parameters` instances as an argument to URL
|
||||
helper methods. An `ArguemntError` will be raised if the passed parameters
|
||||
are not secure.
|
||||
|
||||
Fixes #22832
|
||||
|
||||
*Prathamesh Sonpatki*
|
||||
|
||||
* Add option for per-form CSRF tokens.
|
||||
|
||||
*Ben Toews*
|
||||
|
|
|
@ -281,8 +281,17 @@ module ActionDispatch
|
|||
helper = UrlHelper.create(route, opts, route_key, url_strategy)
|
||||
mod.module_eval do
|
||||
define_method(name) do |*args|
|
||||
options = nil
|
||||
options = args.pop if args.last.is_a? Hash
|
||||
last = args.last
|
||||
options = case last
|
||||
when Hash
|
||||
args.pop
|
||||
when ActionController::Parameters
|
||||
if last.permitted?
|
||||
args.pop.to_h
|
||||
else
|
||||
raise ArgumentError, "Generating an URL from non sanitized request parameters is insecure!"
|
||||
end
|
||||
end
|
||||
helper.call self, args, options
|
||||
end
|
||||
end
|
||||
|
|
|
@ -3578,6 +3578,27 @@ class TestRoutingMapper < ActionDispatch::IntegrationTest
|
|||
assert_equal 'HEAD', @response.body
|
||||
end
|
||||
|
||||
def test_passing_action_parameters_to_url_helpers_raises_error_if_parameters_are_not_permitted
|
||||
draw do
|
||||
root :to => 'projects#index'
|
||||
end
|
||||
params = ActionController::Parameters.new(id: '1')
|
||||
|
||||
assert_raises ArgumentError do
|
||||
root_path(params)
|
||||
end
|
||||
end
|
||||
|
||||
def test_passing_action_parameters_to_url_helpers_is_allowed_if_parameters_are_permitted
|
||||
draw do
|
||||
root :to => 'projects#index'
|
||||
end
|
||||
params = ActionController::Parameters.new(id: '1')
|
||||
params.permit!
|
||||
|
||||
assert_equal '/?id=1', root_path(params)
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def draw(&block)
|
||||
|
|
Loading…
Reference in a new issue