diff --git a/app/actors/hyrax/actors/environment.rb b/app/actors/hyrax/actors/environment.rb index 5c01d5827e..bf360e6b17 100644 --- a/app/actors/hyrax/actors/environment.rb +++ b/app/actors/hyrax/actors/environment.rb @@ -8,7 +8,16 @@ class Environment def initialize(curation_concern, current_ability, attributes) @curation_concern = curation_concern @current_ability = current_ability - @attributes = attributes.to_h.with_indifferent_access + + # TODO: how to safely permit a variable list of attributes if we don't know them in advance? + # It seems as though most attributes arriving here are already a hash, probably because + # they were handled and permitted via a form(?). But if they are posted directly to the + # controller, the attributes arrive as ActionController::Parameters. + # So, this is no longer allowed because keys throughout structure haven't been permitted yet: + # @attributes = attributes.to_h.with_indifferent_access + # + # attributes.permit! if attributes.class == ActionController::Parameters + @attributes = attributes.to_hh.with_indifferent_access end ## diff --git a/spec/controllers/hyrax/generic_works_controller_spec.rb b/spec/controllers/hyrax/generic_works_controller_spec.rb index 38c3c1b468..6570f8999e 100644 --- a/spec/controllers/hyrax/generic_works_controller_spec.rb +++ b/spec/controllers/hyrax/generic_works_controller_spec.rb @@ -379,7 +379,8 @@ # makes one work, two file sets and calls ImportUrlJob twice. expect(actor).to receive(:create).with(Hyrax::Actors::Environment) do |env| expect(env.attributes['uploaded_files']).to eq [] - expect(env.attributes['remote_files'].map! { |v| v.permit!.to_h }).to eq browse_everything_params.values + expect(env.attributes['remote_files']).to eq browse_everything_params.values + # expect(env.attributes['remote_files'].map! { |v| v.permit!.to_h }).to eq browse_everything_params.values end post :create, params: {