Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strong Parameters throws deprecation when merging another Parameters object #26415

Closed
jfelchner opened this issue Sep 6, 2016 · 0 comments
Closed

Strong Parameters throws deprecation when merging another Parameters object #26415

jfelchner opened this issue Sep 6, 2016 · 0 comments
Labels
actionpack attached PR

Comments

@jfelchner
Copy link

jfelchner commented Sep 6, 2016
edited

Steps to reproduce

irb(main):001:0> params_1 = ActionController::Parameters.new({})
<ActionController::Parameters {} permitted: false>
irb(main):002:0> params_2 = ActionController::Parameters.new({})
<ActionController::Parameters {} permitted: false>
irb(main):003:0> params_1.merge(params_2)
DEPRECATION WARNING: Method to_hash is deprecated and will be removed in Rails 5.1, as `ActionController::Parameters` no longer inherits from hash. Using this deprecated behavior exposes potential security problems. If you continue to use this method you may be creating a security vulnerability in your app that can be exploited. Instead, consider using one of these documented methods which are not deprecated: http://api.rubyonrails.org/v5.0.0.1/classes/ActionController/Parameters.html

Expected behavior

ActionController::Parameters knows everything it needs to carry over all of the permitted and required parameters and therefore it is detrimental to first convert it into a hash since that step removes all permitted and required information from the object being merged.

The resulting object should be an ActionController::Parameters object with the combined data and permissions of both of the original objects.

Actual behavior

See above

System configuration

Rails version: 5.0.0.1
Ruby version: 2.3.0
y-yagi added a commit to y-yagi/rails that referenced this issue Sep 7, 2016
@y-yagi
call .to_h to avoid using deprecated method
700c558 
`ActionController::Parameters#merge` call `HashWithIndifferentAccess#merge`.
In addition, it calls `HashWithIndifferentAccess#update` from
`HashWithIndifferentAccess#merge`,  where it is called the `#to_hash` of argument.
But `ActionController::Parameters#to_hash` is deprecated, warning message is
displayed.
To avoid this, modify to convert object to `Hash`.

Fixes rails#26415
@y-yagi y-yagi mentioned this issue Sep 7, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
actionpack attached PR
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jfelchner @prathamesh-sonpatki