From b813b41224c73c4dc012a741b9f1556880fb0037 Mon Sep 17 00:00:00 2001
From: Jared Moody <jared@jaredmoody.com>
Date: Mon, 21 Feb 2022 22:29:53 -0800
Subject: [PATCH] Fixes #123 - Avoid Unpermitted parameters on
 Playlists::SongsController

Calling `permit` on the base params makes other params that are submitted invalid - and there are others, such as playlist_id and authenticity_token.

Because no params are being mass-assigned, there's no benefit to calling `permit` anyway, so remove `playlist_songs_params`

Added a config to dev and test to raise when unpermitted params are passed to surface errors like this.
---
 app/controllers/playlists/songs_controller.rb | 12 ++++--------
 config/environments/development.rb            |  2 ++
 config/environments/test.rb                   |  2 ++
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/app/controllers/playlists/songs_controller.rb b/app/controllers/playlists/songs_controller.rb
index 9f1c6e0d..de9ddd0d 100644
--- a/app/controllers/playlists/songs_controller.rb
+++ b/app/controllers/playlists/songs_controller.rb
@@ -29,7 +29,7 @@ def create
   end
 
   def destroy
-    if playlists_songs_params[:clear_all]
+    if params[:clear_all]
       @playlist.songs.clear
     else
       @playlist.songs.destroy(@song)
@@ -41,8 +41,8 @@ def destroy
   end
 
   def update
-    from_position = Integer(playlists_songs_params[:from_position])
-    to_position = Integer(playlists_songs_params[:to_position])
+    from_position = Integer(params[:from_position])
+    to_position = Integer(params[:to_position])
 
     playlists_song = @playlist.playlists_songs.find_by(position: from_position)
     playlists_song.update(position: to_position)
@@ -55,14 +55,10 @@ def find_playlist
   end
 
   def find_song
-    @song = Song.find(playlists_songs_params[:song_id]) unless playlists_songs_params[:clear_all]
+    @song = Song.find(params[:song_id]) unless params[:clear_all]
   end
 
   def find_all_song_ids
     @song_ids = @playlist.song_ids
   end
-
-  def playlists_songs_params
-    params.permit(:from_position, :to_position, :clear_all, :song_id)
-  end
 end
diff --git a/config/environments/development.rb b/config/environments/development.rb
index 7e30d87d..3c766ddf 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -57,6 +57,8 @@
   # Uncomment if you wish to allow Action Cable access from any origin.
   # config.action_cable.disable_request_forgery_protection = true
 
+  config.action_controller.action_on_unpermitted_parameters = :raise
+
   config.active_job.queue_adapter = :sidekiq
 
   config.after_initialize do
diff --git a/config/environments/test.rb b/config/environments/test.rb
index ade7a45a..eca1d694 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -48,5 +48,7 @@
   # Annotate rendered view with file names.
   # config.action_view.annotate_rendered_view_with_filenames = true
 
+  config.action_controller.action_on_unpermitted_parameters = :raise
+
   config.action_dispatch.x_sendfile_header = "X-Accel-Redirect" # for NGINX
 end