Hashie::Mash doesn't play well with Rails and strong_parameters

[weppos]

I upgraded an app from Hashie::Mash 1.2 to 2.0 and I started to notice an incompatibility when using strong_parameters (thus Rails 4).

Have a look at the following example:

settings = { foo: "1", attributes: { title: "Value" } } 

# Mash 1.2
record.attributes = settings.attributes
# it works

# Mash 2.x
record.attributes = settings.attributes
# raises ActiveModel::ForbiddenAttributes

This happens because in the 2.x version, when a key is a Hash, it is automatically converted into a Mash.

The Mash instance responds to :permit? thus it triggers the ActiveModel forbidden attribute check.

  module ForbiddenAttributesProtection
    def sanitize_for_mass_assignment(*options)
      new_attributes = options.first
      if !new_attributes.respond_to?(:permitted?) || new_attributes.permitted?
        super
      else
        raise ActiveModel::ForbiddenAttributes
      end
    end
  end

But because there is no attribute permit, then #permit? returns false and the error is raised.

Is it intentional? Any suggestion? Any chance that the implementation of Hashie::Mash#respond_to? would not return true for #attribute? unless attribute exists in the Mash table?

[jch]

I didn't know about strong parameters until you brought it up here. This problem sounds specific to ActiveModel, so it makes sense to me to add a Hashie::ActiveModel module (or something simliar) that adds the additional methods. It sounds like you have a good grasp of the problem, would you be up trying to write up a pull request for this?

[weppos]

I'll try to have a look at it, but I'm not sure I can schedule some time immediately.

[Maxim-Filimonov]

@jch The problem is specific to active model but why does Mash needs to respond to key_not_in_mash? What's would be the use case for such scenario?

[jch]

I honestly don't remember. @mbleigh care to chime in?

[aew]

Any update here? This blocks upgrading active record to 4.0 in a standalone Grape app...

[Maxim-Filimonov]

I can do a pull request which removes hash responding to attributes not in hash. Not sure that's gonna be accepted

[aew]

Well, I would use your pull!

[Maxim-Filimonov]

Pull request is done. Checked - it works with rails 4 without forbidden attributes error:

# With rubygems version
2.0.0-p0 :001 > settings = {:username => 'Jonh', password: 'Bond' }
 => {:username=>"Jonh", :password=>"Bond"}
2.0.0-p0 :002 > m = Hashie::Mash.new(settings)
 => #<Hashie::Mash password="Bond" username="Jonh">
2.0.0-p0 :003 > u = User.create!
   (0.1ms)  begin transaction
  SQL (2.2ms)  INSERT INTO "users" ("created_at", "updated_at") VALUES (?, ?)  [["created_at", Sun, 21 Jul 2013 05:58:37 UTC +00:00], ["updated_at", Sun, 21 Jul 2013 05:58:37 UTC +00:00]]
   (2.3ms)  commit transaction
 => #<User id: 1, username: nil, password: nil, created_at: "2013-07-21 05:58:37", updated_at: "2013-07-21 05:58:37">
2.0.0-p0 :004 > u.update_attributes(m)
   (0.1ms)  begin transaction
   (0.1ms)  rollback transaction
ActiveModel::ForbiddenAttributesError: ActiveModel::ForbiddenAttributesError

# With pull request 
2.0.0-p0 :001 > u = User.first
  User Load (0.3ms)  SELECT "users".* FROM "users" ORDER BY "users"."id" ASC LIMIT 1
 => #<User id: 1, username: nil, password: nil, created_at: "2013-07-21 05:58:37", updated_at: "2013-07-21 05:58:37">
2.0.0-p0 :002 > settings = {:username => 'Jonh', password: 'Bond' }
 => {:username=>"Jonh", :password=>"Bond"}
2.0.0-p0 :003 > m = Hashie::Mash.new(settings)
 => #<Hashie::Mash password="Bond" username="Jonh">
2.0.0-p0 :004 > u.update_attributes(m)
   (0.2ms)  begin transaction
  SQL (5.3ms)  UPDATE "users" SET "username" = ?, "password" = ?, "updated_at" = ? WHERE "users"."id" = 1  [["username", "Jonh"], ["password", "Bond"], ["updated_at", Sun, 21 Jul 2013 06:00:29 UTC +00:00]]
   (2.6ms)  commit transaction
 => true
2.0.0-p0 :005 > u.reload
  User Load (0.4ms)  SELECT "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 1]]
 => #<User id: 1, username: "Jonh", password: "Bond", created_at: "2013-07-21 05:58:37", updated_at: "2013-07-21 06:00:29">

As suggested in ruby-grape/grape#404 proper support for forbidden attributes would be good as a separate gem.

[hasghari]

I noticed this issue as well. The quick solution for me was to call to_hash on the Hashie::Mash instance so it's not responding to permitted? anymore.

# Mash 2.x
record.attributes = settings.attributes.to_hash

[Maxim-Filimonov]

Thanks @hasghari, sounds like a good workaround but it feels a bit hacky to me to do it everywhere.
@jch, @mbleigh any chance of getting feedback on the proposed change?

[jch]

@Maxim-Filimonov sorry, don't know commit access anymore.

[jeveloper]

Guys, i appreciate all the work Intridea is doing , but this still isn't working out the of the box and Rails 4 won't work with strong parameters properly

please fix it :)
thank you

[rxx]

I fixed this on #125

[Maxim-Filimonov]

@mli-max this works for me, hope yours get merged..

[lynxnathan]

@intridea any plans on merging this?

[pruett]

@intridea any thoughts on merging in @mli-max's PR?

[mogetutu]

@intridea ping!

[jorge-d]

+1 !

[dblock]

I'm taking over Hashie. Fixed in #104.

[dblock]

The change in #104 solved this problem but introduced inconsistent behavior into a pure Mash, just for Rails. I am reverting #104 because of #146 and adding an ActiveModel extension, please take a look at #147, add your comments and suggestions.