fix strong params nested array objects being unpermitted (#3961)

* add rails backport for nested params

* add spec for nested steps array with json objects

lib/gem_ext/gem_ext.rb

@@ -1,3 +1,5 @@
 require_dependency 'gem_ext/doorkeeper/application'
 require 'gem_ext/doorkeeper/server'
 require 'gem_ext/doorkeeper/client_credentials_creator'
+
+require 'gem_ext/rails/strong_parameters'

lib/gem_ext/rails/strong_parameters.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+# backport the strong params nested array fix for permit!
+# that is fixed in 5.2+ https://github.com/rails/rails/pull/32593/
+# landed in https://github.com/rails/rails/blob/v5.2.8.1/actionpack/CHANGELOG.md#rails-521-august-07-2018
+if Gem::Version.new(Rails.version) < Gem::Version.new('5.2')
+  module ActionController
+    class Parameters
+      def permit!
+        each_pair do |key, value|
+          Array.wrap(value).flatten.each do |v|
+            v.permit! if v.respond_to? :permit!
+          end
+        end
+
+        @permitted = true
+        self
+      end
+    end
+  end
+end

spec/controllers/api/v1/workflows_controller_spec.rb

@@ -113,17 +113,29 @@
              ]
            }
            },
-           steps: [],
+           steps: [['S0', { 'taskKeys' => ['T0', 'T1'] }]],
            display_order_position: 1,
            links: {
             subject_sets: [subject_set.id.to_s],
             tutorials: [tutorial.id.to_s]
           }
-
         }
       }
     end
 
+    describe 'steps attribute with nested array objects' do
+      before do
+        default_request scopes: scopes, user_id: authorized_user.id
+        update_params[:id] = resource.id
+      end
+
+      it 'correctly handles steps attributes nested array objects' do
+        put :update, update_params
+        updated_resource = json_response['workflows'][0]
+        expect(updated_resource['steps']).to match(update_params.dig(:workflows, :steps))
+      end
+    end
+
     it_behaves_like "is updatable"
     it_behaves_like "has updatable links"