Do not show all objects if collection is given nil

[dnagir]

The problem

Let's asume the following piece of code:

= simple_form_for [@project, @story] do |f|
  = f.association :documents, :as => :check_boxes, collection: @documents

This will show the list of documents that come from the @documents variable.
BUT when the variable is not assigned (probably by mistake, not being speced) and thus is treated as nil, then all the documents are loaded.

This is a "security" flow because all users from all projects will see all documents on the system.

Proposed solution

If nil (or something non-eumerable I guess) is passed as collection option, then raise an exception warning about it.

For backwards compatibility it may be an configuration option that can enable this behaviour.

[nashby]

👍 for something like that.

[carlosantoniodasilva]

Sounds ok to raise an exception when collection key is present but nil. I think there's no need for a config option though, if anyone is doing that by mistake we'll probably be nicer by telling them as you said :)

As a side note, we'd expect something like that to be caught by the developer before sending something to production, hopefully :D.

[nashby]

What about just render a blank select without exception?

[rafaelfranca]

@nashby for me sounds good.

[carlosantoniodasilva]

Yeah, I think it's fine 🤘.