Add config.action_controller.permit_all_attributes to bypass StrongParameters protection

1aaf4490 · Guillermo Iguaran · 1e1bee3a · 1aaf4490 · 1aaf4490 · 1aaf4490
5 changed file
--- a/actionpack/lib/action_controller.rb
+++ b/actionpack/lib/action_controller.rb
@@ -2,6 +2,7 @@
 require 'abstract_controller'
 require 'action_dispatch'
 require 'action_controller/metal/live'
+require 'action_controller/metal/strong_parameters'

 module ActionController
  extend ActiveSupport::Autoload

--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -13,12 +13,13 @@ def initialize(param)
  end

  class Parameters < ActiveSupport::HashWithIndifferentAccess
+    cattr_accessor :permit_all_parameters, instance_accessor: false
    attr_accessor :permitted
    alias :permitted? :permitted

    def initialize(attributes = nil)
      super(attributes)
-      @permitted = false
+      @permitted = self.class.permit_all_parameters
    end

    def permit!

--- a/actionpack/lib/action_controller/railtie.rb
+++ b/actionpack/lib/action_controller/railtie.rb
@@ -19,6 +19,10 @@ class Railtie < Rails::Railtie #:nodoc:
      ActionController::Helpers.helpers_path = app.helpers_paths
    end

+    initializer "action_controller.parameters_config" do |app|
+      ActionController::Parameters.permit_all_parameters = app.config.action_controller.delete(:permit_all_parameters)
+    end
+
    initializer "action_controller.set_configs" do |app|
      paths   = app.config.paths
      options = app.config.action_controller

--- a/actionpack/test/controller/parameters/parameters_permit_test.rb
+++ b/actionpack/test/controller/parameters/parameters_permit_test.rb
@@ -56,4 +56,18 @@ class ParametersPermitTest < ActiveSupport::TestCase
    @params.permit!
    assert_equal @params.permitted?, @params.dup.permitted?
  end
+
+  test "permitted takes a default value when Parameters.permit_all_parameters is set" do
+    begin
+      ActionController::Parameters.permit_all_parameters = true
+      params = ActionController::Parameters.new({ person: {
+        age: "32", name: { first: "David", last: "Heinemeier Hansson" }
+      }})
+
+      assert params.slice(:person).permitted?
+      assert params[:person][:name].permitted?
+    ensure
+      ActionController::Parameters.permit_all_parameters = false
+    end
+  end
 end
--- a/railties/test/application/configuration_test.rb
+++ b/railties/test/application/configuration_test.rb
@@ -560,6 +560,28 @@ def create
      assert_equal '{"title"=>"foo"}', last_response.body
    end

+    test "config.action_controller.permit_all_parameters = true" do
+      app_file 'app/controllers/posts_controller.rb', <<-RUBY
+      class PostsController < ActionController::Base
+        def create
+          render :text => params[:post].permitted? ? "permitted" : "forbidden"
+        end
+      end
+      RUBY
+
+      add_to_config <<-RUBY
+        routes.prepend do
+          resources :posts
+        end
+        config.action_controller.permit_all_parameters = true
+      RUBY
+
+      require "#{app_path}/config/environment"
+
+      post "/posts", {:post => {"title" =>"zomg"}}
+      assert_equal 'permitted', last_response.body
+    end
+
    test "config.action_dispatch.ignore_accept_header" do
      make_basic_app do |app|
        app.config.action_dispatch.ignore_accept_header = true