-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Strong params fix for Rails forms #1298
Conversation
Generated by 🚫 Danger |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please also add a changelog entry as bot suggested? Also it would be great to have a test that checks if not required params are slliced
Ok all checks now passing |
Could you please resolve the conflict? Thanks! |
@nbulaj sorted |
@georgepalmer Sorry to jump into the middle. |
@linhdangduy it's not a refactor. Rails form contain hidden fields such as utf_8 and authenticity token. We need to filter those out or Rails will raise an exception if the following setting is on:
|
@georgepalmer I see that current |
permit doesn't filter the parameters - it just marks them as acceptable for a mass update. So if extra parameters are sent through we get a ActionController::UnpermittedParameters exception. From the Rails docs:
|
Thank for the explaining. Originally, I think that you want to use this configure to be able to do But seem that with this changes, you want to disable the
At rails controller, |
To be honest I'm a bit confused by what you're getting at but I don't think action_on_unpermitted_parameters can, or should be, disabled at a controller level. That would be something somebody would set in their app and is outside the remit of a gem imho. Rails forms do normally include extra params such as utf_8 etc - you're just probably not used to seeing these as a more usual approach would be:
That won't work here though as the authorizations/new template is a form_tag rather than based around a model. |
Thank for your clarification.
By
So, if we still want to use this configure at default_rails_form_params = %i[utf8 authenticity_token commit]
permitted_params = %i[
client_id response_type redirect_uri scope
state code_challenge code_challenge_method
]
params.except(*default_rails_form_params).permit(*permitted_params) With 👆code, if you sent params other than |
Ah I see what you were getting at now! To be honest I think this really comes down to a stylistic thing. I've always used slice under the philosophy that if somebody injects extra parameters into the view and submits a form it'll be quietly swallowed rather than cause an error (which then leads to me scratching my head in Sentry working out who would ever do that). I work on high traffic sites where people are trying this kind of thing all the time though. You could quite legitimately argue the opposite that knowing is better and take an approach like you have. @nbulaj thoughts on best style for this repos? |
Actually it's a hard question of design, at least because somebody can override the controller and got some issue with the custom behavior and params. But I'm OK with slicing only params we really need. And it must be an overridable method with the list of such params so everybody can reuse and extend it. |
@nbulaj to be clear are you saying this is ok or you'd like additional changes to be made? |
Hi @georgepalmer . Sorry, I was on vacation, but now I'm back :) Let's move the list of params to a method, say |
@nbulaj ok I think we're good now |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Fix for part of #1287
As a Rails form will include other params such as a commit, utf_8 and authenticity_token we need to pull out only the params we require or we'll get a strong params exception when running Rails with the setting: