From e98eb1a80f247fbef465cd1e952b755eb6ef2071 Mon Sep 17 00:00:00 2001
From: Campbell Allen <campbell.allen@gmail.com>
Date: Fri, 7 Oct 2022 16:17:38 +0100
Subject: [PATCH] fix strong params nested array objects being unpermitted
 (#3961)

* add rails backport for nested params

* add spec for nested steps array with json objects
---
 lib/gem_ext/gem_ext.rb                        |  2 ++
 lib/gem_ext/rails/strong_parameters.rb        | 21 +++++++++++++++++++
 .../api/v1/workflows_controller_spec.rb       | 16 ++++++++++++--
 3 files changed, 37 insertions(+), 2 deletions(-)
 create mode 100644 lib/gem_ext/rails/strong_parameters.rb

diff --git a/lib/gem_ext/gem_ext.rb b/lib/gem_ext/gem_ext.rb
index fdccd6da8..551c2c6a0 100644
--- a/lib/gem_ext/gem_ext.rb
+++ b/lib/gem_ext/gem_ext.rb
@@ -1,3 +1,5 @@
 require_dependency 'gem_ext/doorkeeper/application'
 require 'gem_ext/doorkeeper/server'
 require 'gem_ext/doorkeeper/client_credentials_creator'
+
+require 'gem_ext/rails/strong_parameters'
diff --git a/lib/gem_ext/rails/strong_parameters.rb b/lib/gem_ext/rails/strong_parameters.rb
new file mode 100644
index 000000000..8d011e8ad
--- /dev/null
+++ b/lib/gem_ext/rails/strong_parameters.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+# backport the strong params nested array fix for permit!
+# that is fixed in 5.2+ https://github.com/rails/rails/pull/32593/
+# landed in https://github.com/rails/rails/blob/v5.2.8.1/actionpack/CHANGELOG.md#rails-521-august-07-2018
+if Gem::Version.new(Rails.version) < Gem::Version.new('5.2')
+  module ActionController
+    class Parameters
+      def permit!
+        each_pair do |key, value|
+          Array.wrap(value).flatten.each do |v|
+            v.permit! if v.respond_to? :permit!
+          end
+        end
+
+        @permitted = true
+        self
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/spec/controllers/api/v1/workflows_controller_spec.rb b/spec/controllers/api/v1/workflows_controller_spec.rb
index eadfdf4bf..feafa711d 100644
--- a/spec/controllers/api/v1/workflows_controller_spec.rb
+++ b/spec/controllers/api/v1/workflows_controller_spec.rb
@@ -113,17 +113,29 @@
              ]
            }
            },
-           steps: [],
+           steps: [['S0', { 'taskKeys' => ['T0', 'T1'] }]],
            display_order_position: 1,
            links: {
             subject_sets: [subject_set.id.to_s],
             tutorials: [tutorial.id.to_s]
           }
-
         }
       }
     end
 
+    describe 'steps attribute with nested array objects' do
+      before do
+        default_request scopes: scopes, user_id: authorized_user.id
+        update_params[:id] = resource.id
+      end
+
+      it 'correctly handles steps attributes nested array objects' do
+        put :update, update_params
+        updated_resource = json_response['workflows'][0]
+        expect(updated_resource['steps']).to match(update_params.dig(:workflows, :steps))
+      end
+    end
+
     it_behaves_like "is updatable"
     it_behaves_like "has updatable links"