This project is archived and is in readonly mode.
Filtering parameters inside arrays when logging
Reported by vicente.mundim (at gmail) | June 29th, 2009 @ 01:54 PM | in 2.x
I've stumbled upon this issue while creating an application which makes use of nested forms. Basically, I have an Account model which has many Users. When I create the account it also creates one User. The action receives parameters like:
:account => { :name => 'foo', :users_attributes => [{ :login => 'foo', :password => 'secret', :password_confirmation => 'secret' }] }
Since my controller has the following line:
filter_parameter_logging :password, :password_confirmation
I was expecting to see both password and password_confirmation filtered, but they weren't. Looking inside filter_parameter_logging I understand that it didn't treated arrays at all. I've made a patch, but it seems rails.lighthouseapp.com is down, so I'll just post it here. The patch contains changes to both code and tests. I've made it by branching origin/2-3-stable.
I think it may be wrong in older versions of rails too.
Comments and changes to this ticket
-
vicente.mundim (at gmail) June 29th, 2009 @ 01:55 PM
- Tag changed from “action_controller, logging” to “action_controller, logging, patch”
-
Yehuda Katz (wycats) July 2nd, 2009 @ 12:16 AM
- State changed from “new” to “resolved”
It appears that this has been resolved with the following commit:
http://github.com/rails/rails/commit/9407f6e9a428b37517fdd779eac15e...
-
Will Bryant July 6th, 2009 @ 04:00 AM
Was it intended that this results in filter_parameters being called with scalar arguments, for example when you use:
post :create, :foo => ["bar", "baz"]
filter_parameters gets called with "bar" and then with "baz". This works (though fixnums don't, which broke my specs - but think that wouldn't occur in real use), but that seems quite accidental to me (it relies on String#collect returning an array with the string in it).
-
Alexey I. Froloff July 28th, 2009 @ 07:22 PM
I second this. It dies with NoMethodError when parameters contains something like :role_ids => [1, 2, 3] or :foo => ["bar", "baz"]. This scheme used by redmine for example.
-
gmackerron July 30th, 2009 @ 12:38 PM
And I third it, strongly. This change just broke a production app of mine on Ruby 1.9, because on 1.9 there is no String#collect method!
-
-
gmackerron July 30th, 2009 @ 05:40 PM
Will Bryant's suspicion that the results of the fix are not fully what was intended, since filter_parameters gets called with individual string arguments, and this causes 500 errors on 1.9.
-
vicente.mundim (at gmail) July 30th, 2009 @ 06:35 PM
It seems that it has been fixed in the following commit on branch 2-3-stable:
http://github.com/rails/rails/commit/ead5d88bf178b8a32d151747a42df2...
-
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
Alexey I. Froloff
Yehuda Katz (wycats)