Previously we were taking ActionController::Parameters and completely
overriding #require, forcing it to return `self`, i.e, the entire
ActionController::Parameters object. This meant that we broke its
functionality, which is to return a slice of the params hash instead.
The consequence of this is that attempting to call #permit on a slice of
the params hash obtained via #require would not work:
``` ruby
params = ActionController::Parameters.new(
{ "course" => { "foo" => "bar" } }
)
params.require(:course)
params.require(:course).permit(:foo)
```
This commit fixes the permit matcher so that #require is proxied
instead, retaining the existing behavior.
This commit also adds a qualifier, #on, for asserting that your action
places a restriction on a slice of the params hash. The `permit` matcher
will properly track calls on child `params` instances. For example:
``` ruby
class UsersController < ActionController::Base
def create
User.create!(user_params)
...
end
private
def user_params
params.require(:user).permit(:name, :age)
end
end
describe UsersController do
it { should permit(:name, :age).for(:create).on(:user) }
end
```
If this fails, you'll get the following error message:
```
Expected POST #create to restrict parameters for :user to :name and :age,
but restricted parameters were :first_name and :last_name.
```