Ensure params filtering take precedence over hash/array objects #567
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This matches the current Rails implementation of parameter filtering, where it is possible to set a filter that will hide an entire array or nested hash, instead of just the inner keys.
Consider the following params payload:
Currently we can set a filter for both "username" and "password", but setting for the entire "user" params hash does not work, it's simply ignored, because we parse hashes separately looking at each individual key first - before checking the configured filter.
With this change, setting a filter for "user" would effectively hide it from the payload, scrubbing the field as expected, since we first check the filter before proceeding with other processing.
Unrelated: I'm getting this failure locally on both master and this branch:
I haven't stopped to check it properly, but doesn't seem to be related to the changes here since it's also happening on master.
Let me know if I can help with anything!