Returns 400 bad request if required parameter is an empty hash #73

FotoVerite opened this Issue Dec 29, 2012 · 1 comment


None yet

2 participants


If one has a simple params def like this

def book_params
  params.require(:book).permit(:a, :b, :c)

and pass parameter book with empty hash or parameters that get deleted individually such as position it will returns a 400 error.

patch request  {:book => {:position => 2 } }

def update
  position = params[:book][:position].delete
  if @book.update_attributes(book_params)

This seems counter intuitive since if you are dealing with a PATCH request it is feasible that the only parameters passed might be deleted from the hash but still be a valid request and that other requests to the same url might need the definition in place.

It should be acceptable that a hash is passed with neither permitted nor non permitted parameters should pass and not return a 400 error.


Just to add to this, I'm working with another developer that was initially confused by this same thing. Throwing this in because, two independent parties getting confused by same thing might be a sign of something.

I do see however, there is a very explicit test that checks for this, introduced here:

The commit message is very explicit about it preventing bugs with params wrapped from JSON calls.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment