-
Notifications
You must be signed in to change notification settings - Fork 21.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
permit_all! to permit all attributes in a given key. #14317
Conversation
Not sure about the syntax. Maybe we should try to come up with a better API. |
what can you recommend? I was also thinking in something like ActionController::AnyParam to avoid problems with keys |
/cc @fxn |
Based on the tests, how's this different than: params.require(:book).permit! |
I had a similar conversation at the tail end of #9454. I personally just need something works. There is no solution that I know of whose aesthetics pleases everyone. |
I am in favor of this. |
We need this! |
This is really needed for custom data in form of hashes |
+1 for reviewing this use case and coming up with a strong solution e.g. translated fields seem to be a big pain either a loop is needed for allowing each locale variation of the field, or an explicit .permit! statement for each translated field and passing in the fields as a hash cc @guy-silva |
As @carlosantoniodasilva and @rafaelfranca said this is possible to do using permit! |
For example, I want to send a message with complete custom content
In this case I want to make sure message is required and with a user id and a content.
This does not work, because inside content are other keys that are not whitelisted. But I want to permit any attribute only for the Either I'm missing something or this is not possible with Edit: better phrasing |
@Draiken as @rafaelfranca has suggested the solution to your example would be:
This above solution is not great. I personally love the solution that @alvarezloaiciga has put forth in this PR but none of the rails devs are biting. |
Oh well, at least I can make it work, as awkward as it ends up looking. Thanks @lanej :) |
Yeah I had the same issue, the current version of it, is not scalable. The deeper the hash is, the harder it is to permit all params. @lanej do you have an idea on how can get rails devs in here? |
@alvarezloaiciga Rails devs are already here... @carlosantoniodasilva @rafaelfranca and @guilleiguaran are all from the core team. Aside from that. This use-case was documented in our guides from the very beginning: http://guides.rubyonrails.org/action_controller_overview.html#outside-the-scope-of-strong-parameters See also: |
@senny I just tried what's in the documentation with little success. My current fix is to |
@AlexCppns sorry but you need to provide more context. What is not working with: params.require(:product).permit(:name).tap do |whitelisted|
whitelisted[:data] = params[:product][:data]
end |
@senny What I saw in the documentation link you provided was:
I will try your solution, what is the syntax when you have several attributes, half are json and the others are regular attributes? |
@AlexCppns the one in the docs should work for flat json documents. If you have arbitrary json you can use the snippet I provided above. There is no special syntax for these attributes, it's just regular ruby, effectively by-passing the strong-parameters api by directly assigning the attributes: JSON_ATTRS = [:payload, :data]
params.require(:product).permit(:name).tap do |whitelisted|
JSON_ATTRS.each do |attr|
whitelisted[attr] = params[attr]
end
end |
Oh I see, sorry I was misreading it. |
Can we reopen this issue please? I'm trying to pass in a serialized Hash with arbitrary keys and the current implementation of strong parameters just doesn't work in this case ... This is a pretty common use case actually. :-) Thanks! |
@joelpresence I think the exact scenario you describe is listed in our guides. See http://guides.rubyonrails.org/action_controller_overview.html#outside-the-scope-of-strong-parameters |
@senny that works only with flat JSON, if you have hashes nested in hashes for now the only way to bypass is: params.require(:device).permit(:name).tap do |whitelisted|
whitelisted[:data] = params[:device][:data] if params[:device][:data]
end |
@andersodt could you be a bit more specific. What is no longer working?
|
I have a Question model with a JSON type that stores different information about its possible answers. Depending on the question_type, a different structure might get thrown into the data column. Multiple choice, for instance, would look something like this:
Neither of these approaches saves the "data"
In Rails 4, I was using the whitelisted approach and it worked great, but haven't had any success since upgrading to the beta. |
@andersodt what about: params.require(:question).permit(:prompt, :question_type, :folder_id).tap { |w|
w[:data] = params[:question][:data].to_unsafe_h if params[:question][:data]
} Note the |
That did it. The "unpermitted parameter" notice still appears on the console but the data hash is being properly saved. Thanks! |
@andersodt yes, the unpermitted parameter notice is printed by the |
No description provided.