module StrongerParameters::ControllerSupport::PermittedParameters

Constants

DEFAULT_PERMITTED

Public Class Methods

included(klass) click to toggle source
# File lib/stronger_parameters/controller_support/permitted_parameters.rb, line 7
def self.included(klass)
  klass.extend ClassMethods
  method = (klass.respond_to?(:before_action) ? :before_action : :before_filter)
  klass.public_send method, :permit_parameters
end
sugar(value) click to toggle source
# File lib/stronger_parameters/controller_support/permitted_parameters.rb, line 13
def self.sugar(value)
  case value
  when Array
    ActionController::Parameters.array(*value.map { |v| sugar(v) })
  when Hash
    constraints = value.each_with_object({}) do |(key, v), memo|
      memo[key] = sugar(v)
    end
    ActionController::Parameters.map(constraints)
  else
    value
  end
end

Private Instance Methods

flat_keys(hash) click to toggle source
# File lib/stronger_parameters/controller_support/permitted_parameters.rb, line 134
def flat_keys(hash)
  hash = hash.send(:parameters) if ActionPack::VERSION::MAJOR >= 5 && hash.is_a?(ActionController::Parameters)
  hash.flat_map { |k, v| v.is_a?(Hash) ? flat_keys(v).map { |x| "#{k}.#{x}" }.push(k) : k }
end
permit_parameters() click to toggle source
# File lib/stronger_parameters/controller_support/permitted_parameters.rb, line 83
def permit_parameters
  action = params.fetch(:action).to_sym
  permitted = self.class.permitted_parameters_for(action)
  return if permitted == :skip

  # TODO: invalid values should also be logged, but atm only invalid keys are
  log_unpermitted = self.class.log_unpermitted_parameters
  permitted_params = without_invalid_parameter_exceptions(log_unpermitted) { params.permit(permitted) }
  unpermitted_keys = flat_keys(params) - flat_keys(permitted_params)

  show_unpermitted_keys(unpermitted_keys, log_unpermitted)

  return if log_unpermitted

  (ActionPack::VERSION::MAJOR >= 5 ? params.send(:parameters) : params).replace(permitted_params)
  params.permit!
  request.params.replace(permitted_params)

  logged_params = request.send(:parameter_filter).filter(permitted_params) # Removing passwords, etc
  Rails.logger.info("  Filtered Parameters: #{logged_params.inspect}")
end
show_unpermitted_keys(unpermitted_keys, log_unpermitted) click to toggle source
# File lib/stronger_parameters/controller_support/permitted_parameters.rb, line 105
def show_unpermitted_keys(unpermitted_keys, log_unpermitted)
  return if unpermitted_keys.empty?

  log_prefix = (log_unpermitted ? 'Found' : 'Removed')
  message =
    "#{log_prefix} restricted keys #{unpermitted_keys.inspect} from parameters according to permitted list"

  if Rails.configuration.respond_to?(:stronger_parameters_violation_header)
    header = Rails.configuration.stronger_parameters_violation_header
  end
  response.headers[header] = message if response && header

  Rails.logger.info("  #{message}")
end
without_invalid_parameter_exceptions(log) { || ... } click to toggle source
# File lib/stronger_parameters/controller_support/permitted_parameters.rb, line 120
def without_invalid_parameter_exceptions(log)
  if log
    begin
      old = ActionController::Parameters.action_on_invalid_parameters
      ActionController::Parameters.action_on_invalid_parameters = :log
      yield
    ensure
      ActionController::Parameters.action_on_invalid_parameters = old
    end
  else
    yield
  end
end