-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explicit parameters only #810
Comments
Something different from |
I am thinking something global and declarative for an API. |
@dblock Can I take this on? Also, if I don't respond within 30 days anyone else should feel free to take this on. |
Of course @whatasunnyday, no need to ask, just make pull requests! |
IMHO declared(params) should be the default. Otherwise, it's just too easy to inject a mass assignment vulnerability in a Grape API. This lesson has been learned by Rails, that's why we first had attribute_accessible and now strong_params. |
@Fryie +1 |
+1! |
Any news on this feature? Currently we are handling this issue with a check along the lines of I checked the existing PR's but it went a bit over my head unfortunately so don't think I can attack this ticket but I wanted to say that I found both of the following constructs very useful.
|
We need a way to say: only the parameters declared are allowed. For a new API the whitelist of
params
could really be super useful for typos and wondering whyfilter_by_foobbar_id=....
isn't working when you mispelledfoobar
.The text was updated successfully, but these errors were encountered: