Closed ghost closed 2 years ago
Can this be merged please? :D
I don't think this is good from a security point of view. I don't mind calling to_unsafe_h
on the main inputs because you have to define each input you want with a filter. We throw out everything else. In the case of a hash you could use set strip: false
and pass in a bunch of params not realizing what you've got. If you use that in a mass assignment it could cause issues. That's why Rails added strong params. If someone wants to pass the params into a hash I think it might be more reasonable to make them call to_unsafe_h
so they know they're avoiding strong params.
Convert
ActionController::Parameters
tohash
for hash inputs, the same way ActiveInteraction already converts ActionController::Parameters for overall inputs.Previously, if
params
is an ActionController::Params andh
is a hash input, thenInteraction.run(params)
would work, butInteraction.run(h: params)
would raise an InvalidValueError.This PR makes the latter case "just work".