Skip to content
This repository

Exception on unexpected params when enabled. #75

Closed
wants to merge 0 commits into from

7 participants

Thomas Drake-Brockman Mario Visic Rebecca Skinner David Heinemeier Hansson Rafael Mendonça França Jeremy Kemper Sam Ruby
Thomas Drake-Brockman

Added the ability for developers to enable reporting of unexpected parameters.

To enable add config.raise_on_unexpected_params = true to whatever environment file required.

This would satisfy the request in #66.

Mario Visic

+1 would be very useful.

Thomas Drake-Brockman

That should fix the failing travis builds.

Rebecca Skinner

\o/

Thomas Drake-Brockman

Rebased to remove changes to .gitignore.

David Heinemeier Hansson
Owner
dhh commented January 04, 2013

Good stuff. But let's stick the option on config.action_controller.raise_on_unexpected_params -- it's weird just floating off config itself.

Thomas Drake-Brockman

@dhh sure, I'll change that up right now.

Rafael Mendonça França
Owner

Also, before adding things here is better to add it to rails itself.

David Heinemeier Hansson
Owner
dhh commented January 04, 2013
Thomas Drake-Brockman

@rafaelfranca OK. I'll get that done.

Thomas Drake-Brockman

Pull request has been submitted against rails/rails here: rails/rails#8752

Thomas Drake-Brockman

I'll be porting the changes requested at rails/rails#8752 back to this pull request.

Thomas Drake-Brockman

This should now be in like with what was accepted into rails here: rails/rails#8752.

lib/strong_parameters/railtie.rb
... ...
@@ -7,5 +7,10 @@ class Railtie < ::Rails::Railtie
7 7
     else
8 8
       config.generators.scaffold_controller = :strong_parameters_controller
9 9
     end
  10
+
  11
+    config.after_initialize do
2
Rafael Mendonça França Owner

This options should be set before action_controller.set_configs and deleted from app.config.action_controller or Rails will raise an exception.

See https://github.com/rails/protected_attributes/blob/master/lib/protected_attributes/railtie.rb#L10 to an example

Cheers for the example, needed that. Will fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Thomas Drake-Brockman

@rafaelfranca OK, made that change. Let me know if that's OK now.

lib/strong_parameters/railtie.rb
... ...
@@ -7,5 +7,13 @@ class Railtie < ::Rails::Railtie
7 7
     else
8 8
       config.generators.scaffold_controller = :strong_parameters_controller
9 9
     end
  10
+
  11
+    config.before_configuration do |app|
  12
+      config.action_controller.raise_on_unexpected_params = (Rails.env.test? || Rails.env.development?)
  13
+    end
  14
+
  15
+    initializer "strong_parameters.config", :before => "active_controller.set_configs" do |app|
  16
+      ActionController::Parameters.raise_on_unexpected = app.config.action_controller.delete(:raise_on_unexpected_params)
1
Rafael Mendonça França Owner

Just

ActionController::Parameters.raise_on_unexpected = app.config.action_controller.delete(:raise_on_unexpected_params) { Rails.env.test? || Rails.env.development? }

will work fine

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Rafael Mendonça França
Owner

We renamed the option to raise_on_unpermitted_parameters

See rails/rails@1401f96

Thomas Drake-Brockman

@rafaelfranca I'm away from my computer for a week starting in 5 minutes. I will get this done immediately on my return.

Thanks for the feedback and guiding.

David Heinemeier Hansson
Owner
dhh commented January 08, 2013

This isn't working out well in practice for me. This case shows it well:

    if person = authenticate(params.permit(:username, :password, :sig))
      sign_in person, params.permit(:remember_me)

First of all, I'll get a raise on action and controller parameters because they're present at the root. Second, I will get raises on the first permit call because :remember_me is present, and on the second one because the others are present.

I don't see a way around this at the moment, so I think we're going to have to revert.

Jeremy Kemper
Owner

We could track which params were touched with #permit or #require and have #tainted return those that were not. Then report on unexpected params after the action:

after_action do |c|
  if c.params.tainted.any?
    raise "You have some params that you didn't #permit or #require: #{c.params.tainted.keys.to_sentence}"
  end
end
Thomas Drake-Brockman
Thomas Drake-Brockman

In response to the example by @dhh, in such a situation I would write something like:

def create
  if person = authenticate(auth_params.select(:username, :password, :sig))
    sign_in person, auth_params.select(:remember_me)
end

private

def auth_params
  params.permit(:username, :password, :remember_me)
end

Alternately the authenticate and sign_in methods could be written such that unexpected keys aren't a problem and in that case the .select statements could be dropped.

As I said before in the vast majority of cases in what I see as a typical rails application the params being handled relate directly to a resource and so I think the example above will be reasonably rare.

Please give me your thoughts @rafaelfranca, @jeremy and @dhh.

David Heinemeier Hansson
Owner
dhh commented January 14, 2013
Sam Ruby

The previous/current implementation had:

options.raise_on_unexpected_params ||= (Rails.env.test? || Rails.env.development?)

Logging would be a useful addition to the production environment.

David Heinemeier Hansson
Owner
dhh commented January 14, 2013
Thomas Drake-Brockman

@dhh Very happy to make the default a log entry. Should I make such changes against https://github.com/rails/rails first?

Would you prefer two configuration toggles, one for raising an exception and one for logging, or one config options which takes a symbol of :log or :raise.

David Heinemeier Hansson
Owner
dhh commented January 14, 2013
Thomas Drake-Brockman thomasfedb referenced this pull request in rails/rails January 19, 2013
Merged

Raise or log unpermitted params. #8999

Thomas Drake-Brockman

I changed branch so any discussion should continue here: #85

Thomas Drake-Brockman thomasfedb closed this January 19, 2013
Sasha Gerrand sgerrand referenced this pull request from a commit in sgerrand/rails January 08, 2013
David Heinemeier Hansson Revert "unpermitted params" exception -- it's just not going to work.…
… See the discussion on rails/strong_parameters#75.
cc1c3c5
wkj wkj referenced this pull request from a commit November 06, 2013
Commit has since been removed from the repository and is no longer available.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Sorry, commit information is not available for this pull request.

This page is out of date. Refresh to see the latest.

Showing 0 changed files with 0 additions and 0 deletions. Show diff stats Hide diff stats

Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.