ryanb · bryanrite · Jan 28, 2014
diff --git a/lib/cancan/controller_resource.rb b/lib/cancan/controller_resource.rb
@@ -214,7 +214,9 @@ def name
     end
 
     def resource_params
-      if @options[:class]
+      if param_actions.include?(@params[:action].to_sym) && params_method.present?
+        return @controller.send(params_method)
+      elsif @options[:class]
         params_key = extract_key(@options[:class])
         return @params[params_key] if @params[params_key]
       end
@@ -226,6 +228,19 @@ def resource_params_by_namespaced_name
       @params[extract_key(namespaced_name)]
     end
 
+    def params_method
+      params_methods.each do |method|
+        return method if @controller.respond_to?(method, true)
+      end
+      nil
+    end
+
+    def params_methods
+      methods = ["#{@params[:action]}_params".to_sym, "#{name}_params".to_sym, :resource_params]
+      methods.unshift(@options[:param_method]) if @options[:param_method].present?
+      methods
+    end
+
     def namespace
       @params[:controller].split(/::|\//)[0..-2]
     end
@@ -252,6 +267,10 @@ def new_actions
       [:new, :create] + [@options[:new]].flatten
     end
 
+    def param_actions
+      [:create, :update]
+    end
+
     private
 
     def extract_key(value)

diff --git a/spec/cancan/controller_resource_spec.rb b/spec/cancan/controller_resource_spec.rb
@@ -488,4 +488,61 @@ class Section
     lambda { resource.load_and_authorize_resource }.should_not raise_error
     @controller.instance_variable_get(:@project).should be_nil
   end
+
+  context "with a strong parameters method" do
+
+    it "only calls the santitize method with actions matching param_actions" do
+      @params.merge!(:controller => "project", :action => "update")
+      stub(@controller).resource_params { raise 'Should not be called' }
+      resource = CanCan::ControllerResource.new(@controller)
+      stub(resource).param_actions { [:create] }
+
+      expect { resource.send("resource_params") }.to_not raise_error
+    end
+
+    it "uses the specified option for santitizing input" do
+      @params.merge!(:controller => "project", :action => "create")
+      stub(@controller).resource_params { {:resource => 'params'} }
+      stub(@controller).project_params { {:model => 'params'} }
+      stub(@controller).create_params { {:create => 'params'} }
+      stub(@controller).custom_params { {:custom => 'params'} }
+      resource = CanCan::ControllerResource.new(@controller, { :param_method => :custom_params })
+      resource.send("resource_params").should eq(:custom => 'params')
+    end
+
+    it "prefers to use the create_params method for santitizing input" do
+      @params.merge!(:controller => "project", :action => "create")
+      stub(@controller).resource_params { {:resource => 'params'} }
+      stub(@controller).project_params { {:model => 'params'} }
+      stub(@controller).create_params { {:create => 'params'} }
+      stub(@controller).custom_params { {:custom => 'params'} }
+      resource = CanCan::ControllerResource.new(@controller)
+      resource.send("resource_params").should eq(:create => 'params')
+    end
+
+    it "uses the proper action param based on the action" do
+      @params.merge!(:controller => "project", :action => "update")
+      stub(@controller).create_params { {:create => 'params'} }
+      stub(@controller).update_params { {:update => 'params'} }
+      resource = CanCan::ControllerResource.new(@controller)
+      resource.send("resource_params").should eq(:update => 'params')
+    end
+
+    it "prefers to use the <model_name>_params method for santitizing input if create is not found" do
+      @params.merge!(:controller => "project", :action => "create")
+      stub(@controller).resource_params { {:resource => 'params'} }
+      stub(@controller).project_params { {:model => 'params'} }
+      stub(@controller).custom_params { {:custom => 'params'} }
+      resource = CanCan::ControllerResource.new(@controller)
+      resource.send("resource_params").should eq(:model => 'params')
+    end
+
+    it "prefers to use the resource_params method for santitizing input if create or model is not found" do
+      @params.merge!(:controller => "project", :action => "create")
+      stub(@controller).resource_params { {:resource => 'params'} }
+      stub(@controller).custom_params { {:custom => 'params'} }
+      resource = CanCan::ControllerResource.new(@controller)
+      resource.send("resource_params").should eq(:resource => 'params')
+    end
+  end
 end