Fixing entrypoint into actor stack that casts unpermitted attributes …

…to hash
samvera · Dec 6, 2024 · 1520896 · 1520896
1 parent 485800e
commit 1520896
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/app/actors/hyrax/actors/environment.rb b/app/actors/hyrax/actors/environment.rb
@@ -8,6 +8,12 @@ class Environment
       def initialize(curation_concern, current_ability, attributes)
         @curation_concern = curation_concern
         @current_ability = current_ability
+
+        # TODO: how to safely permit a variable list of attributes if we don't know them in advance?
+        # This is no longer allowed because keys in attributes haven't been permitted yet
+        # @attributes = attributes.to_h.with_indifferent_access
+        #
+        attributes.permit! if attributes.class == ActionController::Parameters
         @attributes = attributes.to_h.with_indifferent_access
       end
 

diff --git a/spec/controllers/hyrax/generic_works_controller_spec.rb b/spec/controllers/hyrax/generic_works_controller_spec.rb
@@ -379,7 +379,8 @@
             # makes one work, two file sets and calls ImportUrlJob twice.
             expect(actor).to receive(:create).with(Hyrax::Actors::Environment) do |env|
               expect(env.attributes['uploaded_files']).to eq []
-              expect(env.attributes['remote_files'].map! { |v| v.permit!.to_h }).to eq browse_everything_params.values
+              expect(env.attributes['remote_files']).to eq browse_everything_params.values
+              # expect(env.attributes['remote_files'].map! { |v| v.permit!.to_h }).to eq browse_everything_params.values
             end
 
             post :create, params: {