From 2c005308db62023b81ceb102a481137e1d09f8d7 Mon Sep 17 00:00:00 2001
From: Randall Floyd <rdfloyd@indiana.edu>
Date: Thu, 5 Dec 2024 11:21:48 -0500
Subject: [PATCH] Fixing entrypoint into actor stack that casts unpermitted
 attributes to hash

---
 app/actors/hyrax/actors/environment.rb                | 11 ++++++++++-
 .../hyrax/generic_works_controller_spec.rb            |  3 ++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/app/actors/hyrax/actors/environment.rb b/app/actors/hyrax/actors/environment.rb
index 5c01d5827e..bf360e6b17 100644
--- a/app/actors/hyrax/actors/environment.rb
+++ b/app/actors/hyrax/actors/environment.rb
@@ -8,7 +8,16 @@ class Environment
       def initialize(curation_concern, current_ability, attributes)
         @curation_concern = curation_concern
         @current_ability = current_ability
-        @attributes = attributes.to_h.with_indifferent_access
+
+        # TODO: how to safely permit a variable list of attributes if we don't know them in advance?
+        # It seems as though most attributes arriving here are already a hash, probably because
+        # they were handled and permitted via a form(?).  But if they are posted directly to the
+        # controller, the attributes arrive as ActionController::Parameters.
+        # So, this is no longer allowed because keys throughout structure haven't been permitted yet:
+        # @attributes = attributes.to_h.with_indifferent_access
+        #
+        # attributes.permit! if attributes.class == ActionController::Parameters
+        @attributes = attributes.to_hh.with_indifferent_access
       end
 
       ##
diff --git a/spec/controllers/hyrax/generic_works_controller_spec.rb b/spec/controllers/hyrax/generic_works_controller_spec.rb
index 38c3c1b468..6570f8999e 100644
--- a/spec/controllers/hyrax/generic_works_controller_spec.rb
+++ b/spec/controllers/hyrax/generic_works_controller_spec.rb
@@ -379,7 +379,8 @@
             # makes one work, two file sets and calls ImportUrlJob twice.
             expect(actor).to receive(:create).with(Hyrax::Actors::Environment) do |env|
               expect(env.attributes['uploaded_files']).to eq []
-              expect(env.attributes['remote_files'].map! { |v| v.permit!.to_h }).to eq browse_everything_params.values
+              expect(env.attributes['remote_files']).to eq browse_everything_params.values
+              # expect(env.attributes['remote_files'].map! { |v| v.permit!.to_h }).to eq browse_everything_params.values
             end
 
             post :create, params: {