add strong_parameters

refs CNVS-16685 at this point, it is completely opt-in - you have to use strong_params instead of params in your controller. during mass assignment, if it's a strong params hash, it will only use that hash; if it's not, it will use attr_accessible /attr_protected handling of the new exception for the API is also included Change-Id: I0fbf3b68291ad6f02165b27e36b23cc3b666e330 Reviewed-on: https://gerrit.instructure.com/44217 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Jacob Fugal <jacob@instructure.com> Product-Review: Cody Cutrer <cody@instructure.com> QA-Review: Cody Cutrer <cody@instructure.com>
2014-11-10 15:29:09 -07:00 · 2014-11-10 15:29:09 -07:00 · f34a2f38f0
parent 517fd5b754
commit f34a2f38f0
4 changed files with 40 additions and 0 deletions
--- a/Gemfile.d/other_stuff.rb
+++ b/Gemfile.d/other_stuff.rb
@ -5,6 +5,7 @@ if CANVAS_RAILS3
  gem 'builder', '3.0.0'
  gem 'tzinfo', '0.3.39'
  gem 'routing_concerns', '0.1.0'
+  gem 'strong_parameters', '0.2.3'
 else
  gem 'rails', '4.0.10'
  gem 'rack', '1.5.2'
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -1044,6 +1044,8 @@ class ApplicationController < ActionController::Base
    when AuthenticationMethods::AccessTokenError
      add_www_authenticate_header
      data = { errors: [{message: 'Invalid access token.'}] }
+    when ActionController::ParameterMissing
+      data = { errors: [{message: "#{exception.param} is missing"}] }
    else
      if status_code.is_a?(Symbol)
        status_code_string = status_code.to_s
--- a/config/application.rb
+++ b/config/application.rb
@ -28,6 +28,9 @@ module CanvasRails
    config.filter_parameters.concat LoggingFilter.filtered_parameters
    config.action_dispatch.rescue_responses['AuthenticationMethods::AccessTokenError'] = 401
    config.action_dispatch.rescue_responses['AuthenticationMethods::LoggedOutError'] = 401
+    if CANVAS_RAILS3
+      config.action_dispatch.rescue_responses['ActionController::ParameterMissing'] = 400
+    end

    config.app_generators do |c|
      c.test_framework :rspec
--- a/config/initializers/strong_parameters.rb
+++ b/config/initializers/strong_parameters.rb
@ -0,0 +1,34 @@
+# default to *non* strong parameters
+ActionController::Base.class_eval do
+  def params
+    @_params ||= request.parameters
+  end
+
+  def strong_params
+    @_strong_params ||= ActionController::Parameters.new(request.parameters)
+  end
+
+  def params=(val)
+    @_strong_params = val.is_a?(Hash) ? ActionController::Parameters.new(val) : val
+    @_params = val
+  end
+end
+
+# completely ignore attr_accessible if it's a strong parameters
+module ForbiddenAttributesProtectionWithoutAttrAccessible
+  def sanitize_for_mass_assignment(*options)
+    new_attributes = options.first
+    if new_attributes.respond_to?(:permitted?)
+      raise ActiveModel::ForbiddenAttributes unless new_attributes.permitted?
+      new_attributes
+    else
+      super
+    end
+  end
+end
+
+ActiveRecord::Base.send(:include, ForbiddenAttributesProtectionWithoutAttrAccessible)
+
+ActionController::ParameterMissing.class_eval do
+  def skip_error_report?; true; end
+end