Skip to content

make always permitted parameters configurable #12682

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
guilleiguaran merged 0 commits into from
Dec 2, 2013
Merged

make always permitted parameters configurable #12682

guilleiguaran merged 0 commits into from
Dec 2, 2013

Conversation

@garysweaver
Copy link
Contributor

@garysweaver garysweaver commented Oct 28, 2013

originally submitted via rails/strong_parameters#174

Was getting errors related to 'format' not being allowed as a param. Having to permit 'format' everywhere is messy, but I wasn't sure about changing S.P. to always allow format for everyone, since it is a client-supplied param and there may be some valid reason to allow control over permittance of 'format' rather than always permitting it. It seemed that just allowing NEVER_UNPERMITTED_PARAMS to be modifiable would be the best idea, so I converted it into a configuration option, using fewer double negatives ("always_permitted_parameters"). Not sure if that works for everyone or not, so this is really just a conversation starter.

@garysweaver garysweaver mentioned this pull request Oct 28, 2013
Closed
@dmathieu
Copy link
Contributor

dmathieu commented Oct 29, 2013

👎
I'd much prefer to add format to the constant.
This might lead beginners to just allow all params everywhere for "simplicity", therefore leading to a potential security issue.

@garysweaver
Copy link
Contributor Author

garysweaver commented Oct 29, 2013

@dmathieu True, and my first inclination was to just add it to the constant, but

  1. 'format' is not injected by Rails. It is request-provided and request provided data must be handled by S.P. for safety. Turning this off for format is an application-level concern.
  2. Adding a configuration method allows for greater extension. There may be other application-specific data that should be allowed other than format that is deleted from params as it is retrieved in a before filter. Stopping this makes S.P. less-friendly to app developers.

@guilleiguaran guilleiguaran merged commit 09beae7 into rails:master Dec 2, 2013
@garysweaver garysweaver deleted the make_always_permitted_params_config_option branch December 4, 2013 17:14
@garysweaver garysweaver restored the make_always_permitted_params_config_option branch December 4, 2013 17:22
@garysweaver garysweaver deleted the make_always_permitted_params_config_option branch December 4, 2013 17:24
@rafael
Copy link
Contributor

rafael commented Jun 26, 2014

Question, why did this never made it to the repo? Is there a workaround for this situation? I see in the code the reference to the old constant still. It would be really nice is this could be configurable.

https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/strong_parameters.rb#L106

Thanks !

@garysweaver
Copy link
Contributor Author

garysweaver commented Jun 27, 2014

@rafael You caught me. I pulled a magic trick with this one, and we don't talk about it.

I don't have the need for this specific feature, so I'd rather if you or someone else who cares enough about it maybe re-implement it and re-PR. Thanks!

@rafael rafael mentioned this pull request Jun 27, 2014
Merged
@rafael
Copy link
Contributor

rafael commented Jun 27, 2014

@garysweaver done! :) #15933

rafael added a commit to rafael/rails that referenced this pull request Jun 27, 2014
@rafael
Add always_permitted_parameters as an option.
c197a7d 
* This commit adds back the always_permitted_parameters
  configuration option to strong paramaters.
* The initial pull requests where this feature was added
  are the following:
  - rails#12682
  - rails/strong_parameters#174
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@garysweaver @dmathieu @rafael @guilleiguaran