Fixing entrypoint into actor stack that casts unpermitted attributes …

…to hash
samvera · Dec 5, 2024 · 64658a6 · 64658a6
1 parent 1062b7a
commit 64658a6
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/app/actors/hyrax/actors/environment.rb b/app/actors/hyrax/actors/environment.rb
@@ -8,7 +8,17 @@ class Environment
       def initialize(curation_concern, current_ability, attributes)
         @curation_concern = curation_concern
         @current_ability = current_ability
-        @attributes = attributes.to_h.with_indifferent_access
+
+        # TODO: how to safely permit a variable list of attributes if we don't know them in advance?
+        # This is no longer allowed because keys in attributes haven't been permitted yet
+        # @attributes = attributes.to_h.with_indifferent_access
+        #
+        # The following would work but would permit anything found in attributes
+        # attributes.each_key do |key|
+        #   attributes.permit(key.to_sym)
+        # end
+        # Or, is permit! any worse than iterating over keys?
+        @attributes = attributes&.permit!&.to_h&.with_indifferent_access
       end
 
       ##