Explicit parameters only

[dblock]

We need a way to say: only the parameters declared are allowed. For a new API the whitelist of params could really be super useful for typos and wondering why filter_by_foobbar_id=.... isn't working when you mispelled foobar.

[tyre]

Something different from declared(params, include_missing: false)? If you would like it to raise errors, perhaps a declared!(params, options) method

[dblock]

I am thinking something global and declarative for an API.

[sunnyrjuneja]

@dblock Can I take this on? Also, if I don't respond within 30 days anyone else should feel free to take this on.

[dblock]

Of course @whatasunnyday, no need to ask, just make pull requests!

[Fryie]

IMHO declared(params) should be the default. Otherwise, it's just too easy to inject a mass assignment vulnerability in a Grape API. This lesson has been learned by Rails, that's why we first had attribute_accessible and now strong_params.

[23tux]

@Fryie +1

[wrtsprt]

+1!

[senhalil]

Any news on this feature? Currently we are handling this issue with a check along the lines of params.to_a - declared(params).to_a in dev/test but it is too crude.

I checked the existing PR's but it went a bit over my head unfortunately so don't think I can attack this ticket but I wanted to say that I found both of the following constructs very useful.

params(undeclared: :ignore / :raise) do
end

class MyAPI < Grape::API
   include Grape::Params::AllowAny::False / True
end

[dblock]

@timjnh asked for this feature again in #2358, anyone wants to try to take it on?