When executing permit with just a key that points to a hash, DO NOT allow all the hash

params.require(:person).permit(:projects_attributes) was returning
=> {"projects_attributes"=>{"0"=>{"name"=>"Project 1"}}}

When should return
=> {}

You should be doing ...
params.require(:person).permit(projects_attributes: :name)
to get just the projects attributes you want to allow

1 files changed, 4 insertions, 1 deletions

diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
index 398454d39f..a6250f5d03 100644
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -177,7 +177,10 @@ module ActionController
       filters.each do |filter|
         case filter
         when Symbol, String then
-          params[filter] = self[filter] if has_key?(filter)
+          if has_key?(filter)
+            value = self[filter]
+            params[filter] = value unless Hash === value
+          end
           keys.grep(/\A#{Regexp.escape(filter)}\(\di\)\z/) { |key| params[key] = self[key] }
         when Hash then
           self.slice(*filter.keys).each do |key, values|