Accepts nested attributes safe params with jsonb and variable keys

Question

I am attempting to allow parameters to go through my controller for a data attribute that is of type jsonb, the hash looks like so:

data: 
  { "en" =>
    {
      "activities_text" => "Activities",
      "playlists_text" => "Playlists",
      "additional_playlists_text" => "Additional Playlists"
    },
    "es" =>
    {
      "activities_text" => "Actividades",
      "playlists_text" => "Lista de Actividades",
      "additional_playlists_text" => "Listas de Actividades Adicionales"
    }
  }

I got my form to work and I can save data successfully, but only for one of the language keys. The issue is happening because in my safe params array I have the following:

text_customization_attributes: [:id, data: [es: [:activities_text, :playlists_text, :additional_playlists_text]]]

I need to be able to allow through both en: as well as es: and potentially any other language keys I may add in the future. I naively thought maybe adding both the line above as well as this: text_customization_attributes: [:id, data: [en: [:activities_text, :playlists_text, :additional_playlists_text]]] would work but one overrides the other and only the last permitted param wins.

How could I let through both es: and en:?

---

I was able to save the whole hash by using this

text_customization_attributes: [:id, data: [en: [:activities_text, :playlists_text, :additional_playlists_text],
es: [:activities_text, :playlists_text, :additional_playlists_text]]]

but it seems very hackish. There must be a better way.

Answer 1

As you said, there may be some keys other than en or es, somehow, we must tell which parameters are permitted. In your case, you can map to an empty hash like,

text_customization_attributes: [:id, data: {}]

But, it is a bit vulnerable as it opens the door to an arbitrary input.

Reference -> edgeguides: