Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

compare URI-decoded path params #482

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

zvkemp
Copy link

@zvkemp zvkemp commented Oct 22, 2024

Mitigation for a regression introduced in #447.

URI-encoded path parameters should be decoded before comparing with the (already-decoded) param.

The URI decoder is automatically set to the rails router decoder when it is detected, or URI.decode_uri_component (Ruby >= 3.2). Users on older rubies without Rails can optionally configure it via Graphiti.config.uri_decoder = -> (uri) { ... } (but this is only necessary if you are doing endpoint validation for routes that have percent-encoded path parameters).

@@ -74,12 +74,12 @@ def allow_request?(request_path, params, action)
endpoints.any? do |e|
has_id = params[:id] || params[:data].try(:[], :id)
path = request_path
if [:update, :show, :destroy].include?(context_namespace) && has_id
if [:update, :show, :destroy].include?(action) && has_id
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

action is passed in by the caller; seems appropriate to use it here instead of duplicating the call to context_namespace

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants