Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Returns 400 bad request if required parameter is an empty hash #73

Open
FotoVerite opened this Issue · 1 comment

2 participants

@FotoVerite

If one has a simple params def like this

def book_params
  params.require(:book).permit(:a, :b, :c)
end

and pass parameter book with empty hash or parameters that get deleted individually such as position it will returns a 400 error.

patch request  {:book => {:position => 2 } }

def update
  position = params[:book][:position].delete
  if @book.update_attributes(book_params)
    @book.insert_at(new_position)
  #etc
end

This seems counter intuitive since if you are dealing with a PATCH request it is feasible that the only parameters passed might be deleted from the hash but still be a valid request and that other requests to the same url might need the definition in place.

It should be acceptable that a hash is passed with neither permitted nor non permitted parameters should pass and not return a 400 error.

@bemurphy

Just to add to this, I'm working with another developer that was initially confused by this same thing. Throwing this in because, two independent parties getting confused by same thing might be a sign of something.

I do see however, there is a very explicit test that checks for this, introduced here:

https://github.com/rails/strong_parameters/blob/e2d6ba29cdec02bb51167dd24fa5b499641d8226/test/parameters_require_test.rb#L5

The commit message is very explicit about it preventing bugs with params wrapped from JSON calls.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.