Foreman API v2 - accepts_nested_attributes_for & strong_parameters

Joseph_Magen · July 23, 2014, 9:19am

API v2 does not document 'accepts_nested_attributes_for' for most of the controllers. However, there are 3 controllers that currently document this:

app/controllers/api/v2/config_templates_controller.rb

  param :template_combinations_attributes, Array, :desc =&gt; &quot;Array of template combinations (hostgroup_id, environment_id)&quot;

app/controllers/api/v2/hosts_controller.rb

  param :host_parameters_attributes, Array

app/controllers/api/v2/domains_controller.rb

  param :domain_parameters_attributes, Array, :required =&gt; false, :desc =&gt; &quot;Array of parameters (name, value)&quot;

Question

Should this documentation above be removed.

Note: Even if it is removed from the docs, all code will still work, since Foreman currently has not implemented 'strong_parameters' to whitelist the permitted params. Furthermore, *_attributes params will work on all other controllers even if not documented.

Is it OK to implement 'strong_parameters' in API v2 to whitelist the permitted params, or is this too much of a potential breaking change that it needs to wait until API v3.

Regards,

Joseph

dLobatog · July 23, 2014, 11:49am

I'd say document this properly for v2, and if strong_parameters is going to
whitelist reasonable parameters in all controllers, put it in v2.

···

On Wed, Jul 23, 2014 at 11:19 AM, Joseph Magen wrote:

API v2 does not document ‘accepts_nested_attributes_for’ for most of the
controllers. However, there are 3 controllers that currently document this:

app/controllers/api/v2/config_templates_controller.rb
  param :template_combinations_attributes, Array, :desc => "Array of
template combinations (hostgroup_id, environment_id)"

app/controllers/api/v2/hosts_controller.rb
  param :host_parameters_attributes, Array
app/controllers/api/v2/domains_controller.rb
  param :domain_parameters_attributes, Array, :required => false,
:desc => “Array of parameters (name, value)”

Question

Should this documentation above be removed.

Note: Even if it is removed from the docs, all code will still work, since
Foreman currently has not implemented ‘strong_parameters’ to whitelist the
permitted params. Furthermore, *_attributes params will work on all other
controllers even if not documented.

Is it OK to implement ‘strong_parameters’ in API v2 to whitelist the
permitted params, or is this too much of a potential breaking change that
it needs to wait until API v3.

Regards,

Joseph

–
You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Daniel Lobato

@elobatoss
blog.daniellobato.me
daniellobato.me

GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30

daviddavis · July 23, 2014, 12:02pm

I agree. Definitely document it.

I've really enjoyed using strong_parameters in Katello. It's great. The only thing is that you'll want to look at Katello how we turn it on/off for controllers. Let me know if you need help.

David

···

----- Original Message ----- > From: "Daniel Lobato" > To: foreman-dev@googlegroups.com > Sent: Wednesday, July 23, 2014 7:49:14 AM > Subject: Re: [foreman-dev] foreman API v2 - accepts_nested_attributes_for & strong_parameters > > I'd say document this properly for v2, and if strong_parameters is going to > whitelist reasonable parameters in all controllers, put it in v2. > > > On Wed, Jul 23, 2014 at 11:19 AM, Joseph Magen wrote: > > > API v2 does not document 'accepts_nested_attributes_for' for most of the > > controllers. However, there are 3 controllers that currently document this: > > > > app/controllers/api/v2/config_templates_controller.rb > > > > param :template_combinations_attributes, Array, :desc => "Array of > > template combinations (hostgroup_id, environment_id)" > > > > app/controllers/api/v2/hosts_controller.rb > > > > param :host_parameters_attributes, Array > > > > app/controllers/api/v2/domains_controller.rb > > > > param :domain_parameters_attributes, Array, :required => false, > > :desc => "Array of parameters (name, value)" > > > > Question > > 1) Should this documentation above be removed. > > > > Note: Even if it is removed from the docs, all code will still work, since > > Foreman currently has not implemented 'strong_parameters' to whitelist the > > permitted params. Furthermore, *_attributes params will work on all other > > controllers even if not documented. > > > > 2) Is it OK to implement 'strong_parameters' in API v2 to whitelist the > > permitted params, or is this too much of a potential breaking change that > > it needs to wait until API v3. > > > > > > Regards, > > > > Joseph > > > > -- > > You received this message because you are subscribed to the Google Groups > > "foreman-dev" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to foreman-dev+unsubscribe@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > Daniel Lobato > > @elobatoss > blog.daniellobato.me > daniellobato.me > > GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30 > > -- > You received this message because you are subscribed to the Google Groups > "foreman-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to foreman-dev+unsubscribe@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. >