From f8aac41e44737c084b02a07a35012a7426cbcd1e Mon Sep 17 00:00:00 2001
From: Randall Floyd <rdfloyd@indiana.edu>
Date: Thu, 5 Dec 2024 11:21:48 -0500
Subject: [PATCH] Fixing entrypoint into actor stack that casts unpermitted
 attributes to hash

---
 app/actors/hyrax/actors/environment.rb                  | 9 +++++++++
 spec/controllers/hyrax/generic_works_controller_spec.rb | 3 ++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/actors/hyrax/actors/environment.rb b/app/actors/hyrax/actors/environment.rb
index 5c01d5827e..e466be4966 100644
--- a/app/actors/hyrax/actors/environment.rb
+++ b/app/actors/hyrax/actors/environment.rb
@@ -8,6 +8,15 @@ class Environment
       def initialize(curation_concern, current_ability, attributes)
         @curation_concern = curation_concern
         @current_ability = current_ability
+
+        # TODO: how to safely permit a variable list of attributes if we don't know them in advance?
+        # It seems as though most attributes arriving here are already a hash, probably because
+        # they were handled and permitted via a form(?).  But if they are posted directly to the
+        # controller, the attributes arrive as ActionController::Parameters.
+        # So, this is no longer allowed because keys throughout structure haven't been permitted yet:
+        # @attributes = attributes.to_h.with_indifferent_access
+        #
+        # attributes.permit! if attributes.class == ActionController::Parameters
         @attributes = attributes.to_h.with_indifferent_access
       end
 
diff --git a/spec/controllers/hyrax/generic_works_controller_spec.rb b/spec/controllers/hyrax/generic_works_controller_spec.rb
index 38c3c1b468..6570f8999e 100644
--- a/spec/controllers/hyrax/generic_works_controller_spec.rb
+++ b/spec/controllers/hyrax/generic_works_controller_spec.rb
@@ -379,7 +379,8 @@
             # makes one work, two file sets and calls ImportUrlJob twice.
             expect(actor).to receive(:create).with(Hyrax::Actors::Environment) do |env|
               expect(env.attributes['uploaded_files']).to eq []
-              expect(env.attributes['remote_files'].map! { |v| v.permit!.to_h }).to eq browse_everything_params.values
+              expect(env.attributes['remote_files']).to eq browse_everything_params.values
+              # expect(env.attributes['remote_files'].map! { |v| v.permit!.to_h }).to eq browse_everything_params.values
             end
 
             post :create, params: {