New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Strong Params require with permit combination produce unexpected exception #42953
Comments
Is this a typo and did you mean
|
No, code is correct. I simulated situation when form was manually changed and request with params was fabricated. During such actions we guaranteed to get an error.
Ps. of course i need :text value I see possible fix as: if value.is_a?(ActionController::Parameters) |
Looking at the def require(key)
return key.map { |k| require(k) } if key.is_a?(Array)
value = self[key]
if value.present? || value == false
value
else
raise ParameterMissing.new(key, @parameters.keys)
end
end Basically, in your example Just be aware that the expected behavior according to the API is "If it's present, returns the parameter at the given key, otherwise raises an ActionController::ParameterMissing error". So the API is not making promises on the type of the returned parameter, only that it will be returned. There also a quite old PR where the |
@brenogazzola I understand what you mean. |
I had assumed from your issue that your intent was to produce a better error message when the format of params did not match what the controller expected. IMO, if the controller expects comment to contains a text, and the form only sends the comment, raising an error is what I’d like Rails to do, so I know the exact place where the problem is. How would safe chaining be used? I’m not asking as a criticism, but as legitimate curiosity since I’ve never thought about using strong_params as anything other than a formal contract between controller and view on how to exchange data. |
@brenogazzola I just trying to say that construction below (params.require().permit()) (which rails doc recommended https://api.rubyonrails.org/classes/ActionController/StrongParameters.html) is unsafe and produce errors in 100% cases with fake data and didn't gave ability to directly use in code (as I want and as expected), without additional checks for preventing this attack, that's it. VERY simple construction.
|
Alright, in this case I'll recommend you cross post this on the |
You might also give another thought to the PR suggestion. It’s what Rails core members themselves recommend. |
This is also related to another recent issue: #42942 |
This issue has been automatically marked as stale because it has not been commented on for at least three months. |
Steps to reproduce
Expected behavior
raise ActionController::ParameterMissing error
Actual behavior
This code will return String value 'some text' at require(:comment) step, but after this we got 'some text'.permit(:comment) and exception like:
Github response for this issue (like example):
We can handle some additional checks with tap block but for my opinion it's overhead logic.
So maybe:
params.require(comment: {}).permit(...)
System configuration
Rails version:
RAILS: 6.1
Ruby version:
Ruby: 2.7
The text was updated successfully, but these errors were encountered: