How are json params deserialized / secured?

[camallen]

I can't see the use of jsonapi_deserialize to ensure only whitelisted controller params are making it through to the model layer, https://github.com/stas/jsonapi.rb#deserialization

Also I can't see the controller layer using strong params to ensure only whitelisted attribtues are updated.

How do you ensure that only specific, allowed attributes are being updated at the model layer?

[zwolf]

Strong params isn't being used because it proved roughly impossible to get the require().permit() syntax to play well with the jsonapi schema. See #42, then b726cd2

jsonapi_deserialize is being used right here:

tove/app/controllers/transcriptions_controller.rb

Line 34 in abb653e

jsonapi_deserialize(params)

There is restriction of the approved status, but there does need to be a more general whitelist that will keep people from updating, like, updated_at or whatever directly.

[camallen]

Thank you for clarifying, I missed the use of the deserialize cmd in the transcriptions controller.

It's good to see you've got this setup and I agree about a more specific whitelist of allowed attributes and not any model attribute.

[zwolf]

A good argument for keeping things like this inline, thanks for pointing it out. Looking at the code, I don't know if I'll need to bring strong params back and let the deserializer worry about it, or if I can just use the only: allowed_params as a whitelist. Seems like the latter, which would be a straightforward fix.

https://github.com/stas/jsonapi.rb/blob/master/lib/jsonapi/deserialization.rb#L31-L35

[camallen]

My understanding is that you can use the deserialization instead of strong params.