Add explicit wrap_parameters to all controllers (#2680)

* Add explicit wrap_parameters to controllers for flat JSON API support

Virtual attributes (has_rich_text, has_one_attached, delegated setters,
ActiveModel attrs) are not in Model.attribute_names, so wrap_parameters
auto-detection silently drops them from flat JSON requests. Add explicit
include: lists matching each controller's permitted params.

* Convert short-form wrap_parameters to explicit include: lists

Defense-in-depth: these controllers only have real-column params today,
so auto-detection works, but explicit lists prevent future regressions
if virtual attributes are added.

* Add flat JSON param tests for all wrap_parameters controllers

17 new tests covering every controller with wrap_parameters, verifying
that flat (unwrapped) JSON payloads are correctly wrapped and processed.
Focuses on virtual attributes that would be silently dropped without
explicit include: lists.
This commit is contained in:
Jeremy Daer
2026-03-09 21:47:05 -07:00
committed by GitHub
parent 71a1ee7031
commit a52b6f1c87
18 changed files with 213 additions and 4 deletions
@@ -1,5 +1,5 @@
class Account::JoinCodesController < ApplicationController
wrap_parameters :account_join_code
wrap_parameters :account_join_code, include: %i[ usage_limit ]
before_action :set_join_code
before_action :ensure_admin, only: %i[ update destroy ]
@@ -1,5 +1,5 @@
class Account::SettingsController < ApplicationController
wrap_parameters :account
wrap_parameters :account, include: %i[ name ]
before_action :ensure_admin, only: :update
before_action :set_account
@@ -1,4 +1,6 @@
class Boards::ColumnsController < ApplicationController
wrap_parameters :column, include: %i[ name color ]
include BoardScoped
before_action :set_column, only: %i[ show update destroy ]
+2
View File
@@ -1,4 +1,6 @@
class BoardsController < ApplicationController
wrap_parameters :board, include: %i[ name all_access auto_postpone_period_in_days public_description ]
include FilterScoped
before_action :set_board, except: %i[ index new create ]
@@ -1,4 +1,6 @@
class Cards::Comments::ReactionsController < ApplicationController
wrap_parameters :reaction, include: %i[ content ]
include CardScoped
before_action :set_comment
@@ -1,4 +1,6 @@
class Cards::ReactionsController < ApplicationController
wrap_parameters :reaction, include: %i[ content ]
include CardScoped
before_action :set_reactable
@@ -1,4 +1,6 @@
class Cards::StepsController < ApplicationController
wrap_parameters :step, include: %i[ content completed ]
include CardScoped
before_action :set_step, only: %i[ show edit update destroy ]
+2
View File
@@ -1,4 +1,6 @@
class CardsController < ApplicationController
wrap_parameters :card, include: %i[ title description image created_at last_active_at ]
include FilterScoped
before_action :set_board, only: %i[ create ]
@@ -1,4 +1,6 @@
class My::AccessTokensController < ApplicationController
wrap_parameters :access_token, include: %i[ description permission ]
skip_before_action :require_account
def index
@@ -1,5 +1,5 @@
class Notifications::SettingsController < ApplicationController
wrap_parameters :user_settings
wrap_parameters :user_settings, include: %i[ bundle_email_frequency ]
before_action :set_settings
@@ -1,4 +1,6 @@
class Signups::CompletionsController < ApplicationController
wrap_parameters :signup, include: %i[ full_name ]
layout "public"
disallow_account_scope
+2
View File
@@ -1,4 +1,6 @@
class SignupsController < ApplicationController
wrap_parameters :signup, include: %i[ email_address ]
disallow_account_scope
allow_unauthenticated_access
rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_signup_path, alert: "Try again later." }
@@ -1,4 +1,6 @@
class Users::JoinsController < ApplicationController
wrap_parameters :user, include: %i[ name avatar ]
layout "public"
def new
@@ -1,4 +1,6 @@
class Users::PushSubscriptionsController < ApplicationController
wrap_parameters :push_subscription, include: %i[ endpoint p256dh_key auth_key ]
before_action :set_push_subscriptions
def index
+1 -1
View File
@@ -1,5 +1,5 @@
class Users::RolesController < ApplicationController
wrap_parameters :user
wrap_parameters :user, include: %i[ role ]
before_action :set_user
before_action :ensure_permission_to_administer_user
+2
View File
@@ -1,4 +1,6 @@
class UsersController < ApplicationController
wrap_parameters :user, include: %i[ name avatar ]
before_action :set_user, except: %i[ index ]
before_action :ensure_permission_to_change_user, only: %i[ update destroy ]
+2
View File
@@ -1,4 +1,6 @@
class WebhooksController < ApplicationController
wrap_parameters :webhook, include: %i[ name url subscribed_actions ]
include BoardScoped
before_action :ensure_admin