Calling #reverse_merge on an ActionController::Parameters objects sets #permitted? to false

[Hammadk]

Calling #reverse_merge on an ActionController::Parameters object sets the #permitted value to false. For example:

x = ActionController::Parameters.new(x: 1).permit(:x)
y = ActionController::Parameters.new(y: 1).permit(:y)

x.permitted? 
=> true
y.permitted?
=> true

x.merge(y).permitted?
=> true
x.reverse_merge(y).permitted?
=> false

y.merge(x).permitted?
=> true 
y.reverse_merge(x).permitted?
=> false

This is because ActionController::Parameters#merge duplicates the entire object via self.dup.update, while #reverse_merge calls ActiveSupport::HashWithIndifferentAccess#reverse_merge which only copies the values of the other hash:

def merge(hash, &block)
  self.dup.update(hash, &block)
end

def reverse_merge(other_hash)
  super(self.class.new_from_hash_copying_default(other_hash))
end

cc: @nickhoffman

[rafaelfranca]

ActionController::Parameters is going to not inherit from Hash in future versions. When this happen reverse_merge will be not even defined on it (and neither it should be)

Thank you for reporting

[Hammadk]

@rafaelfranca Glad you have this under control. Should we add regression tests in version 0.2.4 to prevent this?

[rafaelfranca]

The implementation is not under this gem. It is only at the Rails repository and there are tests there.