Rails 7 provides context when logging unpermitted parameters


Rails 7 expands the payload of unpermitted_parameters.action_controller to allow developers to know which controller and action received the unpermitted parameters.

Before

In the earlier version of Rails, if unpermitted parameters are found in a request then the logs only provide information about the unpermitted keys and do not provide enough information for developers to understand which controller and action received the unpermitted parameters.

Consider the following code, where we have a User with the name, email, and role attributes and, we permit only name and email attributes.

request_params = { user: { name: "Francesco", email: "fransceso@example.com", role: "admin" } }

params = ActionController::Parameters.new(request_params)
params.permit(user: [:name, :email])

# Unpermitted parameter: :role

We can see that the log only provided the information about the unpermitted key and not any information regarding the controller and action which received the unpermitted parameters.

After

Rails 7 allows callers to specify a context with the controller, action, request, and param keys and this context is included in the logging payload.

It modifies the ActionController::Parameters to accept context as a parameter.

context = { controller: self.class.name, action: action_name }
request_params = { user: { name: "Francesco", email: "fransceso@example.com", role: "admin" } }

params = ActionController::Parameters.new(request_params, context)
params.permit(user: [:name, :email])

# Unpermitted parameter: :role. Context: { controller: UsersController, action: create }

We can see that along with the unpermitted parameter, context is also logged containing the controller and action keys. In case of no context, an empty context will be included in the payload.

request_params = { user: { name: "Francesco", email: "fransceso@example.com", role: "admin" } }

params = ActionController::Parameters.new(request_params)
params.permit(user: [:name, :email])

# Unpermitted parameter: :role. Context: { }

Note: This change expects the caller to provide logging context.

To know more about this change, refer to this PR.