fix permitted? conditional for render calls

Author: tenderlove

actionpack/lib/abstract_controller/rendering.rb

@@ -77,9 +77,12 @@ def view_assigns
     # render "foo/bar" to render :file => "foo/bar".
     # :api: plugin
     def _normalize_args(action=nil, options={})
-      if action.respond_to?(:permitted?) && action.permitted?
-        raise ArgumentError, "render parameters are not permitted"
-        action
+      if action.respond_to?(:permitted?)
+        if action.permitted?
+          action
+        else
+          raise ArgumentError, "render parameters are not permitted"
+        end
       elsif action.is_a?(Hash)
         action
       else

actionpack/test/controller/render_test.rb

@@ -56,6 +56,10 @@ def dynamic_render
     render params[:id] # => String, AC:Params
   end
 
+  def dynamic_render_permit
+    render params[:id].permit(:file)
+  end
+
   def dynamic_render_with_file
     # This is extremely bad, but should be possible to do.
     file = params[:id] # => String, AC:Params
@@ -276,6 +280,13 @@ def test_dynamic_render
     end
   end
 
+  def test_permitted_dynamic_render_file_hash
+    assert File.exist?(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb'))
+    response = get :dynamic_render_permit, { id: { file: '../\\../test/abstract_unit.rb' } }
+    assert_equal File.read(File.join(File.dirname(__FILE__), '../../test/abstract_unit.rb')),
+      response.body
+  end
+
   def test_dynamic_render_file_hash
     assert_raises ArgumentError do
       get :dynamic_render, { id: { file: '../\\../test/abstract_unit.rb' } }