With https://github.com/thoughtbot/administrate/pull/1457, I introduced a bug. Reproduction:
- Visit the index page of a model with a has_many relationship (eg: customers).
- Click on a table header to trigger some sorting. The current URL will gain query params.
- Click on a row to see the show page of a record. Don't click on actual data on the table (eg: customer name), but instead click on a "blank" area of the row. This is so that the JS click handler kicks in and performs the "link" behaviour, as opposed to clicking on an actual link.
- You'll get an error
ActionController::UnpermittedParameters.
This is triggered by the following:
- At the index page, the URL is something like
/admin/customers - When sorting the table, the current URL becomes something like
/admin/customers?customer%5Bdirection%5D=desc&customer%5Border%5D=name - Clicking on the row, the JS gets us a URL like so
/admin/customers/123?customer%5Bdirection%5D=desc&customer%5Border%5D=name - The partial that renders the has_many relationship in the show page can receive query params. It checks that the current ones are permitted. Turns out those aren't (they are in the index page, but not here), so it raises an exception.
I'm not sure about the spec example I have introduced. I feel that someone who finds it in the future is going to wonder where that came from. I guess they can check the git history...? Thoughts?