lib/blacklight/parameters.rb
# frozen_string_literal: true
module Blacklight
class Parameters
##
# Sanitize the search parameters by removing unnecessary parameters
# from the provided parameters.
# @param [Hash] params parameters
def self.sanitize params
params.reject { |_k, v| v.nil? } # rubocop:disable Style/CollectionCompact not available in Rails 6.0
.except(:action, :controller, :id, :commit, :utf8)
end
# rubocop:disable Naming/MethodParameterName
# Merge two Rails strong_params-style permissions into a single list of permitted parameters,
# deep-merging complex values as needed.
# @param [Array<Symbol, Hash>] a
# @param [Array<Symbol, Hash>] b
# @return [Array<Symbol, Hash>]
def self.deep_merge_permitted_params(a, b)
a = [a] if a.is_a? Hash
b = [b] if b.is_a? Hash
complex_params_from_a, scalar_params_from_a = a.flatten.uniq.partition { |x| x.is_a? Hash }
complex_params_from_a = complex_params_from_a.inject({}) { |tmp, h| _deep_merge_permitted_param_hashes(h, tmp) }
complex_params_from_b, scalar_params_from_b = b.flatten.uniq.partition { |x| x.is_a? Hash }
complex_params_from_b = complex_params_from_b.inject({}) { |tmp, h| _deep_merge_permitted_param_hashes(h, tmp) }
(scalar_params_from_a + scalar_params_from_b + [_deep_merge_permitted_param_hashes(complex_params_from_a, complex_params_from_b)]).compact_blank.uniq
end
private_class_method def self._deep_merge_permitted_param_hashes(h1, h2)
h1.merge(h2) do |_key, old_value, new_value|
if (old_value.is_a?(Hash) && old_value.empty?) || (new_value.is_a?(Hash) && new_value.empty?)
{}
elsif old_value.is_a?(Hash) && new_value.is_a?(Hash)
_deep_merge_permitted_param_hashes(old_value, new_value)
elsif old_value.is_a?(Array) || new_value.is_a?(Array)
deep_merge_permitted_params(old_value, new_value)
else
new_value
end
end
end
# rubocop:enable Naming/MethodParameterName
attr_reader :params, :search_state
delegate :blacklight_config, :filter_fields, to: :search_state
def initialize(params, search_state)
@params = params.is_a?(Hash) ? params.with_indifferent_access : params
@search_state = search_state
end
# @param [Hash] params with unknown structure (not declared in the blacklight config or filters) stripped out
def permit_search_params
# if the parameters were generated internally, we can (probably) trust that they're fine
return params unless params.is_a?(ActionController::Parameters)
# if the parameters were permitted already, we should be able to trust them
return params if params.permitted?
permitted_params = filter_fields.inject(blacklight_config.search_state_fields) do |allowlist, filter|
Blacklight::Parameters.deep_merge_permitted_params(allowlist, filter.permitted_params)
end
deep_unmangle_params!(params, permitted_params)
if blacklight_config.filter_search_state_fields
params.permit(*permitted_params)
else
params.deep_dup.permit!
end
end
private
# Facebook's crawler turns array query parameters into a hash with numeric keys. Once we know
# the expected parameter structure, we can unmangle those parameters to match our expected values.
def deep_unmangle_params!(params, permitted_params)
permitted_params.select { |p| p.is_a?(Hash) }.each do |permission|
permission.each do |key, permitted_value|
next unless params[key].is_a?(ActionController::Parameters)
if permitted_value.is_a?(Hash)
deep_unmangle_params!(params[key], [permitted_value])
elsif permitted_value.is_a?(Array) && permitted_value.empty? && params[key]&.keys&.all? { |k| k.to_s =~ /\A\d+\z/ }
params[key] = params[key].values
end
end
end
end
end
end