Everywhere we see the example of:
params.require(:user).permit!(:name, :email)
Now, this works great and if someone passes for instance
{ user: {} }
it will raise ActionController::ParameterMissing which is great! It’s even handled and returns 400 Bad Request to the user.
However, if one passes { user: "wat" } the app crashes with no method permit for string and a sad 500 error is returned to the user…which is a bit weird, since it’s really a Bad Request.
I found this GH issue that talks about this issue: https://github.com/rails/rails/issues/30519
It seems like it’s not regarded an issue and should be handled in your app. Since this style is repeated everywhere in the docs I believe most Rails apps out there can be made to throw up 500 errors left and right - which is unfortunate!
Oh well! It is what it is… 
Now… how do all of you handle this issue?
- Do you ignore it?
- Do you check the return value of
require(...)everywhere? - Monkey patch the String class to add
permit(*)and raise appropriately?
- Monkey patch
ActionController::Parameters? - Some other prettier solution?