Unpermitted parameter error when adding request parameter while using Administrate

Question

I'm using Administrate v0.11.0 with search_term textbox, it works totally fine, and now I want to add a request parameter my_search_condition_flag which is a boolean flag value that affects search condition.

In my index action of controller, I added the following line, so that requests with this parameter pass the Strong Parameters validation.

params.permit(:search, :my_search_condition_flag)

The rest of the code in index action is simply copied from ApplicationController.rb of Administrate.

When I make a HTTP request with request parameter my_search_condition_flag=1 , my index action is processed just fine, but HTTP response returns following error:

ActionController::UnpermittedParameters in Admin::MyPage#index
Showing /usr/local/bundle/gems/administrate-0.11.0/app/views/administrate/application/_search.html.erb where line #19 raised:

found unpermitted parameter: :my_search_condition_flag

which is raised from rendering method of search_term textbox inside index.html.erb

  <% if show_search_bar %>
    <%= render(
      "search",
      search_term: search_term,
      resource_name: display_resource_name(page.resource_name)
    ) %>
  <% end %>

I've already tried the following to my Dashboard class, introduced here:

 # -- Overwrite the method to add one more to the permit list
 def permitted_attributes
   super + [:my_search_condition_flag]  # -- Adding our now removed field to thepermitted list
 end

How can I tell Administrate to permit a parameter which I want to add?

Do I have to use request body instead? (which I don't want)

Answer 1

You were on the right track there. The exception originates at /app/views/administrate/application/_search.html.erb:19, as you mention. If you look there, you'll see it uses the method clear_search_params, which also uses strong_parameters to allow/deny query params. You can override this with a helper of your own. For example:

module Admin
  module ApplicationHelper
    def clear_search_params
      params.except(:search, :page, :my_required_condition_flag).permit(
        :per_page, resource_name => %i[order direction]
      )
    end
  end
end

If you do this, you'll get a new, related error. This time from /app/helpers/administrate/application_helper.rb:48. The method there is called sanitized_order_params, and can be overriden similarly:

module Admin
  module ApplicationHelper
    # ...

    def sanitized_order_params(page, current_field_name)
      collection_names = page.item_includes + [current_field_name]
      association_params = collection_names.map do |assoc_name|
        { assoc_name => %i[order direction page per_page] }
      end
      params.permit(:search, :my_required_condition_flag, :id, :page, :per_page, association_params)
    end
  end
end

And with that, you should be clear of errors.

Admittedly, this is not very nice fix. Ideally Administrate should be providing some better way to override this list of allowed search params. Fancy submitting a PR? ;-)