Open G-Rath opened 3 months ago
Ok I applied it to my test suite and was immediately reminded that I've got cases where I explicitly pass in an unpermitted param as I'm checking that you can't e.g. pass in entity_id
to have the app create a relationship on a nested entity (as that id should be from the route), but maybe it would still make sense to enable it for development?
strong_parameters
usesaction_on_unpermitted_parameters
to control what happens when an unpermitted param is found, which can be set tofalse
,:log
, or:raise
.The default for production is "false" whereas in development and test it's
:log
but maybe we should set it to:raise
for the latter?It makes sense for it to be silent in production because ultimately anything can be passed to our endpoints, but that's also why I think it would make sense to be very loud in dev and test as we should only be getting expected params.
I don't think historically we've had any significant issues or bugs around params that this would catch, but I have come across some instances of unpermitted params being filtered in apps (most commonly with the CSRF token) which raises my eyebrows as I'm usually hunting down a niche bug, so I think it could be a way of improving our hygiene a bit