-
Notifications
You must be signed in to change notification settings - Fork 356
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not pass in all action controller params to raw_connect #3035
Do not pass in all action controller params to raw_connect #3035
Conversation
Should be okay 👍 |
LGTM, but I am not an expert here. @martinpovolny @himdel Please review. I'm not sure you have a preferable method (maybe something with Strong Params directly?) |
Looking at the code, every other case specifies exactly which params should go in - not which shouldn't. So.. while I have no strong objections to this fix.... any chance you can make it a whitelist instead? |
…der, only whitelisted parameters.
c81f50d
to
748a4ef
Compare
Checked commit jntullo@748a4ef with ruby 2.3.3, rubocop 0.47.1, haml-lint 0.20.0, and yamllint 1.10.0 app/controllers/mixins/ems_common_angular.rb
|
Provider-specific code in the repo is an immediate red-flag for me. Any way to make this pluggable or somehow part of the openstack provider itself? @himdel Even though you prefer whitelist, for pluggability would blacklist be better? The UI should know what fields definitely should not go to the backend. |
@Fryguy You're completely right, but that pretty much depends on #3097 ... in the current form, we can't really do that :(. If you care about not passing in specific items, we can always do both whitelisting and blacklisting - but probably no point now, since it would be different per-provider anyway now. (The point is, if we don't whitelist, they'll get random fields intended for other provider types, possibly even filled in with data if the user originally chose a different type. If we whitelist per provider, then we at least know what they need.) |
(The hope with #3097 is that we can eventually make the provider know which fields it needs and provide it in a sane way .. but with this PR being done, that would just mean moving |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, waiting for @aufi to get a chance to review
@aufi: please, take a look. Merging it now, but your feedback will be addressed in a follow-up PR if you have any. Thx! |
Gaprindashvili backport details:
|
Do not pass in all action controller params to raw_connect (cherry picked from commit 0a2efb0)
Currently, validation on the queue is sending all action controller params to
raw_connect
, which are ending up in the log. We should not be sending all action controller params to theraw_connect
method. This update makes them into a hash and excludes the unnecessary parameters.Before:
After:
Could I get some 👀 from the OpenStack team? @aufi
@miq-bot assign @Fryguy
related to ManageIQ/manageiq#16636