Bug #17343
closed
It is not possible to use empty list as value for optional parameters via API
Description
Description of problem:
Some entities has optional array parameters that allow nil value. Previously it was possible to send empty list '[]' as value to clear all values, but now according to dLobatog it is not possible because of a new security mechanism in Rails.
Though it affects all the optional parameters, some example entities/parameters are: smart_proxies.locations, location.smart_proxies, organization.smart_proxies, organization.hostgroup_ids.
- Update with empty list
Making HTTP PUT request to https://sat6.com/katello/api/v2/organizations/39 with options {'verify': False, 'auth': ('admin', 'changeme'), 'headers': {'content-type': 'application/json'}} and data {"organization": {"smart_proxy_ids": []}}.
- Response
Received HTTP 200 response:
{
"name":"XWsKJtxSBN",
"id":39,
"smart_proxies":[
{
"name":"sat6.com",
"id":1,
"url":"https://sat6.com:9090"
},
{
"name":"Oa5c2S",
"id":11,
"url":"https://sat6.com:11629"
}
}
Steps to Reproduce:
1. Create entity that has optional array parameters
2. Update that parameter with some value
3. Update that parameter one more time with empty list
4. Check that values from point 2 not changed
Actual results:
When updating with empty list nothing happens, optional parameter has all previous values
Expected results:
All values should be cleared
Updated by Daniel Lobato Garcia over 7 years ago
The reason seems to be that Rails 4 converts these attributes to 'nil' and are ignored.
2016-11-15T13:57:48 b5024cb3 [app] [D] Value for params[:smart_proxy][:locations] was set to nil, because it was one of [], [null] or [null, null, ...]. Go to http://guides.rubyonrails.org/security.html#unsafe-query-generation for more information.
Then when I check smart_proxy_params on the update action, it's gone.
Updated by
Updated by Kavita Gaikwad over 7 years ago
- Assignee set to Kavita Gaikwad
- Target version set to 1.15.6
Updated by Swapnil Abnave over 7 years ago
- Target version changed from 1.15.6 to 1.15.1
Updated by The Foreman Bot over 7 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/4042 added
Updated by Kavita Gaikwad over 7 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 277529308f07e2087fff0c6641daf105ad5b1865.
Updated by Dominic Cleal over 7 years ago
- translation missing: en.field_release set to 189
Updated by Dominic Cleal about 7 years ago
- Related to Bug #18155: OrganizationsControllerTest empty array test uses invalid data for form encoding added