When executing permit with just a key that points to a hash, DO NOT allow all the hash

params.require(:person).permit(:projects_attributes) was returning
=> {"projects_attributes"=>{"0"=>{"name"=>"Project 1"}}}

When should return
=> {}

You should be doing ...
params.require(:person).permit(projects_attributes: :name)
to get just the projects attributes you want to allow

2 files changed, 9 insertions, 2 deletions

diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb
index 398454d39f..a6250f5d03 100644
--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
+++ b/actionpack/lib/action_controller/metal/strong_parameters.rb
@@ -177,7 +177,10 @@ module ActionController
       filters.each do |filter|
         case filter
         when Symbol, String then
-          params[filter] = self[filter] if has_key?(filter)
+          if has_key?(filter)
+            value = self[filter]
+            params[filter] = value unless Hash === value
+          end
           keys.grep(/\A#{Regexp.escape(filter)}\(\di\)\z/) { |key| params[key] = self[key] }
         when Hash then
           self.slice(*filter.keys).each do |key, values|
diff --git a/actionpack/test/controller/parameters/nested_parameters_test.rb b/actionpack/test/controller/parameters/nested_parameters_test.rb
index 41f5b6e127..d287e79cba 100644
--- a/actionpack/test/controller/parameters/nested_parameters_test.rb
+++ b/actionpack/test/controller/parameters/nested_parameters_test.rb
@@ -15,18 +15,22 @@ class NestedParametersTest < ActiveSupport::TestCase
         details: {
           pages: 200,
           genre: "Tragedy"
+        },
+        id: {
+          isbn: 'x'
         }
       },
       magazine: "Mjallo!"
     })
 
-    permitted = params.permit book: [ :title, { authors: [ :name ] }, { details: :pages } ]
+    permitted = params.permit book: [ :title, { authors: [ :name ] }, { details: :pages }, :id ]
 
     assert permitted.permitted?
     assert_equal "Romeo and Juliet", permitted[:book][:title]
     assert_equal "William Shakespeare", permitted[:book][:authors][0][:name]
     assert_equal "Christopher Marlowe", permitted[:book][:authors][1][:name]
     assert_equal 200, permitted[:book][:details][:pages]
+    assert_nil permitted[:book][:id]
     assert_nil permitted[:book][:details][:genre]
     assert_nil permitted[:book][:authors][0][:born]
     assert_nil permitted[:magazine]