Permit only public keywords in ApplicationForm

maxim · maxim · commit faa3fa27b04d · 2023-03-23T13:16:07.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,6 @@
 ## Unreleased
 
+* Permit only public keywords in `ApplicationForm.filter_params`
 * Relax and tweak rubocop:
   * Prefer fixed indentation for multi-line arguments
   * Allow positional args on first line, keywords on next lines
diff --git a/example_app/app/forms/application_form.rb b/example_app/app/forms/application_form.rb
@@ -17,10 +17,14 @@ def param_key                 = model_name.param_key
     def attribute_names           = portrayal.keywords.without(:action, :method)
     def from_params(params, **kw) = new(**filter_params(params), **kw)
 
+    def public_attribute_names
+      attribute_names.select { |n| public_method_defined?(n) }
+    end
+
     def filter_params(params)
       params
         .require(param_key)
-        .permit(*attribute_names)
+        .permit(*public_attribute_names)
         .to_hash
         .transform_keys(&:to_sym)
     end
diff --git a/example_app/config/credentials.yml.enc b/example_app/config/credentials.yml.enc
@@ -1 +1 @@
-+55HkgjqsvjKqp8JjM/VHQpoQ/WOKz+MDVqrACXWrET0CdS60orEFMONZO66zgkvXsSQO0xdhu4DmVy7LQdAAt7pZEc4n1al5SlIqwAnvOXgsJNf8JhmKt2CvQ79LV6l+eGEOzAxVtefbyTCqMCvJGnl6vPSja+vWyKoc4frNdRdS7XVX/yyGxaEDvHNZM/1daeFkTzncjvnpDEkNP2K6/Z+yVbvEDEQiEAHjJsf8d1l+UY6soJzUdn7qYMdYKRSPDjFU3aGQikHlLNkru5o1vF0FjHdMgdGGPmHcnrNegpPYzAlB+Etm0KNb+D7K5S0Xfuw9NtnpA5CJSlPkb8uOkdcVr/KiNh7KfKdMeWKjITYeLfs1zyRIdJdaK2cFwhSxnSgaV9bSeqxJ+UgAmtMMmXk9Mg+gwzLcQE8--Nr4y+IbQi44HKbIk--ptnOtZx6lc1mGysVAJbcLg==
+ycI84xoF4RPiCTWeEIH2z6LzXd50WPmCMe05HsXITgk+EiNuc/EbjNXK2+zwbs2z6lMf/3XSqJLpYB1Zj6BkduNm6QCuCnJXqgDcN6IiWb46iaZY5UkPi7SPLRELkzrMlY7NxWvb6fUmCUKZsKSEv8tyABvLehAvmjR71HJ0Gu70adrH7t1CwIur0qXSBnkEmh+Ph83x9gIYsiiHpy5qUUzaZHvUv1hA/ZvOGWGOykNcGv4s0n65zMU44J0IIhAzgabp41kh+iodwYYKr3c+t1RFemuo0Xibdx6g61581ZB7ix6gNn4rN26AZa7giu35SkbeXE4c0M5BZzLLfunbIOLJUIUu0oO05kUi5EqXrnRe0wSs565th4ybgo7BZxWbDyPN9jzfar4GZpJ9sPQ7nwHB7F7Nvwu2kJn5--OKiQHak+Hl5y+vkh--WA9Vm8aXtCpJrBC3WIB5fQ==
diff --git a/example_app/config/master.key b/example_app/config/master.key
@@ -1 +1 @@
-ce40f0c5edc7a8ecb3927866240323d9
+72505aa321c9d2147743665efe130c05
diff --git a/narrative.rb b/narrative.rb
@@ -360,10 +360,14 @@ def param_key                 = model_name.param_key
       def attribute_names           = portrayal.keywords.without(:action, :method)
       def from_params(params, **kw) = new(**filter_params(params), **kw)
 
+      def public_attribute_names
+        attribute_names.select { |n| public_method_defined?(n) }
+      end
+
       def filter_params(params)
         params
           .require(param_key)
-          .permit(*attribute_names)
+          .permit(*public_attribute_names)
           .to_hash
           .transform_keys(&:to_sym)
       end

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-+55HkgjqsvjKqp8JjM/VHQpoQ/WOKz+MDVqrACXWrET0CdS60orEFMONZO66zgkvXsSQO0xdhu4DmVy7LQdAAt7pZEc4n1al5SlIqwAnvOXgsJNf8JhmKt2CvQ79LV6l+eGEOzAxVtefbyTCqMCvJGnl6vPSja+vWyKoc4frNdRdS7XVX/yyGxaEDvHNZM/1daeFkTzncjvnpDEkNP2K6/Z+yVbvEDEQiEAHjJsf8d1l+UY6soJzUdn7qYMdYKRSPDjFU3aGQikHlLNkru5o1vF0FjHdMgdGGPmHcnrNegpPYzAlB+Etm0KNb+D7K5S0Xfuw9NtnpA5CJSlPkb8uOkdcVr/KiNh7KfKdMeWKjITYeLfs1zyRIdJdaK2cFwhSxnSgaV9bSeqxJ+UgAmtMMmXk9Mg+gwzLcQE8--Nr4y+IbQi44HKbIk--ptnOtZx6lc1mGysVAJbcLg==`
	`1`	`+ycI84xoF4RPiCTWeEIH2z6LzXd50WPmCMe05HsXITgk+EiNuc/EbjNXK2+zwbs2z6lMf/3XSqJLpYB1Zj6BkduNm6QCuCnJXqgDcN6IiWb46iaZY5UkPi7SPLRELkzrMlY7NxWvb6fUmCUKZsKSEv8tyABvLehAvmjR71HJ0Gu70adrH7t1CwIur0qXSBnkEmh+Ph83x9gIYsiiHpy5qUUzaZHvUv1hA/ZvOGWGOykNcGv4s0n65zMU44J0IIhAzgabp41kh+iodwYYKr3c+t1RFemuo0Xibdx6g61581ZB7ix6gNn4rN26AZa7giu35SkbeXE4c0M5BZzLLfunbIOLJUIUu0oO05kUi5EqXrnRe0wSs565th4ybgo7BZxWbDyPN9jzfar4GZpJ9sPQ7nwHB7F7Nvwu2kJn5--OKiQHak+Hl5y+vkh--WA9Vm8aXtCpJrBC3WIB5fQ==`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-ce40f0c5edc7a8ecb3927866240323d9`
	`1`	`+72505aa321c9d2147743665efe130c05`