grape Explicit parameters only

We need a way to say: only the parameters declared are allowed. For a new API the whitelist of params could really be super useful for typos and wondering why filter_by_foobbar_id=.... isn't working when you mispelled foobar.

Nov 12 '14 18:11 dblock

Something different from declared(params, include_missing: false)? If you would like it to raise errors, perhaps a declared!(params, options) method

Nov 19 '14 07:11 tyre

I am thinking something global and declarative for an API.

Nov 19 '14 12:11 dblock

@dblock Can I take this on? Also, if I don't respond within 30 days anyone else should feel free to take this on.

Apr 01 '15 21:04 sunnyrjuneja

Of course @whatasunnyday, no need to ask, just make pull requests!

Apr 01 '15 21:04 dblock

IMHO declared(params) should be the default. Otherwise, it's just too easy to inject a mass assignment vulnerability in a Grape API. This lesson has been learned by Rails, that's why we first had attribute_accessible and now strong_params.

Jun 05 '15 15:06 Fryie

@Fryie +1

Aug 17 '15 16:08 23tux

+1!

Jan 07 '16 12:01 wrtsprt

Any news on this feature? Currently we are handling this issue with a check along the lines of params.to_a - declared(params).to_a in dev/test but it is too crude.

I checked the existing PR's but it went a bit over my head unfortunately so don't think I can attack this ticket but I wanted to say that I found both of the following constructs very useful.

params(undeclared: :ignore / :raise) do
end

class MyAPI < Grape::API
   include Grape::Params::AllowAny::False / True
end

Feb 18 '20 13:02 senhalil

@timjnh asked for this feature again in #2358, anyone wants to try to take it on?

Oct 19 '23 19:10 dblock

grape grape copied to clipboard

Explicit parameters only

grape
grape copied to clipboard