The problem is that the sanctified_permit_param method was returning _every field in the api_docdefinition due to the face that Enum#each always returns the array, e.g. attributes in this case, which is a truthy value. It was allowing any field through. Here is the value of strong_params_hash on the "Source" record when updating:
The intended behavior appeared to be only adding fields that are in the attributes array (e.g. anything that is writeable) would be included, and switching the check from Enum#each to Enum#any? does the trick, since it returns whether or not the attribute can be written. Here is the strong_params_hash after the change:
I'm not sure how this change will effect Catalog/Topology, so we should probably run tests against this PR for all repos using it before merging + releasing. It seems like the new behavior is what was intended - but I want to make sure.
So this was a fun one, after updating Sources API to use the common gem's
params_for_update
method I had some specs failing.After digging into it more, the test that was failing was here: https://github.com/lindgrenj6/sources-api/blob/b06b2db350482cd3f7738101bdbf51751362d1a2/spec/requests/api/v3.0/sources_spec.rb#L330-L340
The problem is that the
sanctified_permit_param
method was returning _every field in the api_docdefinition due to the face thatEnum#each
always returns the array, e.g. attributes in this case, which is a truthy value. It was allowing any field through. Here is the value ofstrong_params_hash
on the "Source" record when updating:The intended behavior appeared to be only adding fields that are in the attributes array (e.g. anything that is writeable) would be included, and switching the check from
Enum#each
toEnum#any?
does the trick, since it returns whether or not the attribute can be written. Here is thestrong_params_hash
after the change:I'm not sure how this change will effect Catalog/Topology, so we should probably run tests against this PR for all repos using it before merging + releasing. It seems like the new behavior is what was intended - but I want to make sure.