Skip to content

THREESCALE-12434: Migrate from protected attributes to strong parameters - Part 3 #4255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mayorova wants to merge 8 commits into
base: strong-params-part2
Choose a base branch
from
Open

THREESCALE-12434: Migrate from protected attributes to strong parameters - Part 3 #4255

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
7294df5
Remove without_protection references
mayorova Mar 19, 2026
9f50fb3
Remove allow_mass_assignment
mayorova Mar 19, 2026
2bda4f2
Remove protected_attributes_continued gem and its leftovers
mayorova Mar 19, 2026
82cecfe
Fix MailDispatchRule test
mayorova Mar 23, 2026
bae4daa
Fix backend_apis associations
mayorova Mar 20, 2026
7ec8391
Add unit tests for service_extension backend_api logic
mayorova May 18, 2026
0264807
Fix AccessToken value setting
mayorova May 26, 2026
5c8e3a5
Fix member permission flaky test of Admin::ApiDocs::AccountApiDocsCon…
mayorova May 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions Gemfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,6 @@ gem "activejob-uniqueness"
# Needed for XML serialization of ActiveRecord::Base
gem 'activemodel-serializers-xml'

gem 'protected_attributes_continued', '~> 1.9.0'

gem 'rails-observers'

gem 'strong_migrations', '~> 2.1.0'
Expand Down
3 changes: 0 additions & 3 deletions Gemfile.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -618,8 +618,6 @@ GEM
bigdecimal
logger
rb_sys (~> 0.9.117)
protected_attributes_continued (1.9.0)
activemodel (>= 5.0)
pry (0.15.2)
coderay (~> 1.1)
method_source (~> 1.0)
Expand Down Expand Up @@ -1101,7 +1099,6 @@ DEPENDENCIES
prawn
prawn-svg
prawn-table!
protected_attributes_continued (~> 1.9.0)
pry-byebug (>= 3.11.0)
pry-doc (>= 0.8)
pry-rails
Expand Down
2 changes: 1 addition & 1 deletion app/events/applications/application_deleted_event.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ class Applications::ApplicationDeletedEvent < ApplicationRelatedEvent
# @param [Cinstance] application
# :reek:NilCheck but proxy can be nil at this point
def self.create(application)
service = application.service || Service.new({id: application.service_id}, without_protection: true)
service = application.service || Service.new(id: application.service_id)
new(
application: MissingModel::MissingApplication.new(id: application.id),
service_backend_id: service.backend_id,
Expand Down
2 changes: 1 addition & 1 deletion app/events/zync_event.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ def self.type_for(model)
def non_persisted_dependencies
case record
when Proxy, Cinstance
[Service.new({id: data[:service_id]}, without_protection: true)]
[Service.new(id: data[:service_id])]
else
NONE
end
Expand Down
18 changes: 17 additions & 1 deletion app/lib/backend_api_logic/service_extension.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,11 @@ def backend_api_config
end

def backend_api
Copy link
Copy Markdown
Contributor

@akostadinov akostadinov May 28, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about adding a comment like:

Suggested change
def backend_api
# This is mostly used for view/reporting purposes thus whenever an actual
# associated Backend API is present, it will be used. Otherwise we create a
# dummy Backend API to keep the presentation layer happy.
# But to avoid confusing the business logic, we need to prevent the
# existing Account and Service objects from seeing it.
# TODO: revisit the logic and get rid of lazy building altogether
def backend_api

@backend_api ||= backend_api_configs.first&.backend_api || account.backend_apis.build(system_name: service_system_name, name: "#{service_name} Backend", description: "Backend of #{service_name}")
# Return early if we already have a persisted backend_api
return @backend_api if @backend_api&.persisted?
Copy link
Copy Markdown
Contributor Author

@mayorova mayorova Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This issue with #backend_api just drives me nuts.

This commit contains a solution that Claude provided, and I'm putting his explanation below.

I am not convinced or happy with this though, and I find the whole lazy building messy... I think we need to review the behavior again, and try to get rid of any lazy building, because it just makes things complicated and error-prone.
WDYT @akostadinov @jlledom ?

Copy link
Copy Markdown
Contributor Author

@mayorova mayorova Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BackendApiProxy Cache Issue After Removing protected_attributes_continued

Problem

After removing the protected_attributes_continued gem (strong-params-part3 branch), several tests
started failing with errors like:

  • NoMethodError: undefined method 'children' for nil (when service.backend_api returns a stale
    unpersisted BackendApi with no metrics)
  • StateMachines::InvalidTransition: Cannot transition state via :approve from :created (Reason(s): Backend apis invalid) (when account validation encounters the unpersisted BackendApi)

Root Cause

The behavioral difference is caused by inverse_of working correctly without
protected_attributes_continued.

How BackendApiProxy caches a backend_api

When a Service is created, after_create :create_default_proxy builds and saves a Proxy. During
Proxy validation, validate_backend_api? (in BackendApiLogic::ProxyExtension) calls
backend_api.private_endpoint_changed?. This delegates through:

Proxy#backend_api -> Service#backend_api -> Service#backend_api_proxy -> BackendApiProxy#backend_api

BackendApiProxy#backend_api does:

@backend_api ||= backend_api_configs.first&.backend_api ||
                 account.backend_apis.build(system_name: ..., name: ..., description: ...)

Since no backend_api_configs exist yet during initial service creation, it falls through to
account.backend_apis.build(...), which creates an unpersisted BackendApi (no private_endpoint,
no metrics) and caches it in @backend_api.

What changed: inverse_of behavior

The Proxy model has belongs_to :service, touch: true, inverse_of: :service and the Service model
has has_one :proxy, dependent: :destroy, inverse_of: :service, autosave: true.

On master (with protected_attributes_continued)

The gem subtly breaks inverse_of for has_one associations. When a Proxy is created via
service.create_proxy!, the Proxy's service method resolves to a different Service instance
(loaded from DB), not the original one.

This means the stale @backend_api_proxy (with its cached unpersisted BackendApi) is set on a
throwaway Service instance that gets garbage collected. The FactoryBot-returned Service instance
has a clean @backend_api_proxy — calling service.backend_api creates a fresh BackendApiProxy
that correctly finds the persisted BackendApi from backend_api_configs.

On the branch (without the gem)

inverse_of works correctly. The Proxy's service method returns the same Service instance
that created it. The stale @backend_api_proxy (with its cached unpersisted BackendApi) is set on
the FactoryBot-returned Service instance.

Later calls to service.backend_api return the stale unpersisted BackendApi instead of the real
persisted one created by the :with_default_backend_api factory trait.

Evidence

Tracing BackendApiProxy#backend_api calls during FactoryBot.create(:simple_service):

Master:

BackendApiProxy SET on Service object_id=32920 (different from FactoryBot's 32940)
After factory create: @backend_api_proxy cached? false

Branch:

BackendApiProxy SET on Service object_id=32600 (same as FactoryBot's 32600)
After factory create: @backend_api_proxy cached? true, @backend_api.persisted? false

Impact on Production Code

The main production code path that uses service.backend_api is ServiceCreator:

def save!(params)
  @service.save!                     # triggers create_default_proxy -> caches stale @backend_api_proxy
  ...
  save_default_backend_api(params)   # calls backend_api_proxy.update!(params)
end

ServiceCreator is not affected because:

  1. It intentionally works with the unpersisted BackendApi built during proxy creation
  2. backend_api_proxy.update! sets private_endpoint on it and calls save!, persisting it
  3. The same cached BackendApiProxy instance is used throughout, so it operates on the same
    BackendApi object

Other production code paths access backend_api through BackendApiConfig associations (not through
the BackendApiProxy cache), so they are also unaffected.

Fix

Code fix: BackendApiProxy#backend_api

Changed to handle stale caches by re-checking backend_api_configs when the cached value is
unpersisted:

def backend_api
  return @backend_api if @backend_api&.persisted?

  @backend_api = backend_api_configs.first&.backend_api ||
                 @backend_api
  @backend_api ||= account.backend_apis.build(...)
end

Logic:

  1. Persisted cached BA - return immediately (fast path, same behavior as before)
  2. Unpersisted/nil cached BA - check backend_api_configs first (picks up configs created
    after initial cache, e.g. by :with_default_backend_api factory trait)
  3. Reuse existing unpersisted BA if no config found (avoids building duplicate unpersisted
    instances via account.backend_apis.build, which would pollute the association)
  4. Build new only if nothing exists yet

This is safe for ServiceCreator because step 3 reuses the same unpersisted BA across calls
within update!.

Factory fix: service factories

Both :simple_service and :service factories clean up the account's backend_apis association
in after(:create):

after(:create) do |record|
  record.service_tokens.first_or_create!(value: 'token')
  # Proxy validation during service creation calls account.backend_apis.build(...),
  # which adds an unpersisted BackendApi to the association. Remove it to prevent
  # validation failures in later operations on the account.
  record.account.backend_apis.target.delete_if { |ba| !ba.persisted? }
end

This is needed because account.backend_apis.build(...) (called during proxy validation) adds an
unpersisted BackendApi to the account's loaded association. If the account is later validated (e.g.,
during approve! in the provider signup flow), this unpersisted BA fails validation because it has
no private_endpoint. The code fix in BackendApiProxy#backend_api handles the separate issue of
the stale cache but does not remove the unpersisted BA from the association.

Copy link
Copy Markdown
Contributor

@jlledom jlledom Mar 25, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see it so problematic, maybe a comment might help, but if you tried and it works, I think its fine.

# Lookup priority
# 1. Current backend if persisted
# 2. DB backend if any
# 3. Current backend if not persisted
# 4. New backend
def backend_api
  return @backend_api if @backend_api&.persisted?

  @backend_api = backend_api_configs.first&.backend_api ||
                 @backend_api
  @backend_api ||= account.backend_apis.build(system_name: service_system_name, name: "#{service_name} Backend", description: "Backend of #{service_name}")
end

Maybe a clearer refactor (maybe not):

def backend_api
  return @backend_api if @backend_api&.persisted?
  return backend_api_configs.first&.backend_api if backend_api_configs.first&.backend_api&.present?
  return @backend_api if @backend_api&.present?

  account.backend_apis.build(system_name: service_system_name, name: "#{service_name} Backend", description: "Backend of #{service_name}")
end

Copy link
Copy Markdown
Contributor Author

@mayorova mayorova Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I further changed this one, and also added a different build_backend_api.

This resolves issues in some tests, where the following happens:

  1. a "lazily initialized" backend_api is first built
  2. an actual backend API is built and saved
  3. the account.backend_apis however, still returns the initial "fake" (unpersisted) backend_api object

The previous solution was to do this in the test factories:

      # Proxy validation during service creation calls account.backend_apis.build(...),
      # which adds an unpersisted BackendApi to the association. Remove it to prevent
      # validation failures in later operations on the account.
      record.account.backend_apis.target.delete_if { |ba| !ba.persisted? }

But I really didn't like it, it felt very hacky.

The current solution (while also a bit hacky), is better, I think, because we don't create something that we remove later, we avoid creating it in the first place.

Once this lazily built object is saved, the association that is created is the same.

Copy link
Copy Markdown
Contributor

@jlledom jlledom May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This tricky logic should be tested probably. Maybe a simple set of unit tests would be enough.

Copy link
Copy Markdown
Contributor Author

@mayorova mayorova May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jlledom how about this? 1e28781

Copy link
Copy Markdown
Contributor

@jlledom jlledom May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!. Surprisingly, my previous approval is still there after adding new commits.


# Try to get backend_api from backend_api_configs, or keep the memoized unpersisted one, or build a new one
@backend_api = backend_api_configs.first&.backend_api || @backend_api || build_backend_api
end

def update!(attrs = {})
Expand All @@ -52,6 +56,18 @@ def update(attrs = {})
rescue ActiveRecord::RecordInvalid
false
end

private

def build_backend_api
Copy link
Copy Markdown
Contributor

@akostadinov akostadinov May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
def build_backend_api
def build_dissociated_backend_api

# Build without adding to association to avoid polluting it with unpersisted records
BackendApi.new(
account: account,
system_name: service_system_name,
name: "#{service_name} Backend",
description: "Backend of #{service_name}"
)
end
end

def backend_api_proxy
Expand Down
4 changes: 2 additions & 2 deletions app/lib/fields/fields.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ def initialize(attributes = nil, *args)
# otherwise it raises exception on unknown (extra) fields
# check http://api.rubyonrails.org/classes/ActiveRecord/AttributeAssignment.html#method-i-assign_attributes

def assign_attributes(extra_attributes, options = {})
def assign_attributes(extra_attributes)
# dup the fields because we are mutating them (params hash)
attributes = extra_attributes.present? ? extra_attributes.dup : {}

Expand All @@ -127,7 +127,7 @@ def assign_attributes(extra_attributes, options = {})
self.extra_fields = fields_attributes
end

super(attributes, options)
super(attributes)
end

alias attributes= assign_attributes
Expand Down
3 changes: 1 addition & 2 deletions app/lib/fields/provider.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,8 @@ def initialize(provider)
def for(klass)
columns = klass.column_names
defined = fields_definitions.by_target(klass.name.underscore).map(&:name)
protected = klass.protected_attributes.to_a

((columns + defined) - protected).uniq
(columns + defined).uniq
end
Copy link
Copy Markdown
Contributor

@akostadinov akostadinov May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bob could not grep this method used anywhere. I could not ripgrep that as well. Maybe we can remove this method?

Or if it is still used somewhere, perhaps we should omit the non-assignable attributes?

I'm running some tests and they don't indicate that the method does anything:

│  - ✅ extra_fields_test.rb - 25 tests, 39 assertions - ALL PASSED            │
│  - ✅ fields_definition_test.rb - 27 tests, 73 assertions - ALL PASSED       │
│  - ✅ fields/fields_test.rb - 8 tests, 61 assertions - ALL PASSED            │
│  - ✅ account/fields_test.rb - 7 tests, 15 assertions - ALL PASSED

So perhaps it is dead code to be removed.


protected
Expand Down
6 changes: 3 additions & 3 deletions app/lib/finance/billing.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ def initialize(invoice)

def create_line_item(params)
bill do
@invoice.line_items.create(params, {without_protection: true})
@invoice.line_items.create(params)
end
rescue Invoice::InvalidInvoiceStateException
line_item_with_error(params, :invalid_invoice_state)
Expand All @@ -18,7 +18,7 @@ def create_line_item(params)

def create_line_item!(params)
bill do
@invoice.line_items.create!(params, {without_protection: true})
@invoice.line_items.create!(params)
end
end

Expand All @@ -37,7 +37,7 @@ def bill
end

def line_item_with_error(params, error_type)
LineItem.new(params, {without_protection: true}).tap do |line_item|
LineItem.new(params).tap do |line_item|
line_item.errors.add(:base, error_type.to_sym)
end
end
Expand Down
2 changes: 1 addition & 1 deletion app/lib/logic/cms.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ def cms_toolbar_intro_visible?
end

def create_cms_assets
self.builtin_sections.create!({ title: 'Root', system_name: 'root', parent_id: nil }, without_protection: true)
self.builtin_sections.create!(title: 'Root', system_name: 'root', parent_id: nil)
# TODO: add SimpleLayout logic here
end
end
Expand Down
14 changes: 6 additions & 8 deletions app/lib/signup/impersonation_admin_builder.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,12 @@ def self.build(account:)
config = ThreeScale.config.impersonation_admin
username = config[:username]
impersonation_admin = account.users.new(
{
username: username,
email: "#{username}+#{account.internal_domain}@#{config[:domain]}",
first_name: '3scale',
last_name: 'Admin',
state: 'active'
},
without_protection: true)
username: username,
email: "#{username}+#{account.internal_domain}@#{config[:domain]}",
first_name: '3scale',
last_name: 'Admin',
state: 'active'
)
impersonation_admin.role = :admin
impersonation_admin.signup_type = :minimal
impersonation_admin
Expand Down
3 changes: 1 addition & 2 deletions app/models/access_token.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,8 +178,7 @@ def validate_expiration_date
end

def generate_if_missing
return if persisted?
return if @plaintext_value.present?
return if value.present?
Copy link
Copy Markdown
Contributor Author

@mayorova mayorova May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was required due to the removal of the protected_attributes_continued gem.

The part that got broken is:

porta/test/integration/user-management-api/base_controller_test.rb

Lines 133 to 135 in 0264807

@user.access_tokens.create!(name: 'API', scopes: %w[account_management], permission: 'ro') do |token|
token.value = AccessToken.compute_digest('access_token')
end

and, as a result, the tests that were relying on this setup.

      @user.access_tokens.create!(name: 'API', scopes: %w[account_management], permission: 'ro') do |token|
        token.value = AccessToken.compute_digest('access_token')
      end

So, apparently, the gem was overriding the .create! and other methods in the chain, and the after_initialize :generate_if_missing callback was being executed before the block passed to create!, so it worked as expected.

After removing the gem, the execution stack consists of the standard active_record methods, and in this case, first the block passed to create! is executed, and only after than, the after_initialize :generate_if_missing gets called. As the block doesn't set the @plaintext_value attribute, nor is the object persisted yet, the generate_if_missing method doesn't return, and generates a new random value instead, thus overriding the one set in the create! block.

I think checking for value presence should be good enough as an alternative for the previous checks.

Copy link
Copy Markdown
Contributor Author

@mayorova mayorova May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jlledom can you please take a look at this change and let me know if you think it's fine?

All tests are passing 🙌

Copy link
Copy Markdown
Contributor

@jlledom jlledom May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've been checking and this looks correct to me. Even better than before.


@plaintext_value = self.class.random_id
self.value = self.class.compute_digest(@plaintext_value)
Expand Down
3 changes: 0 additions & 3 deletions app/models/account_setting.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,6 @@ def self.find_sti_class(type_name)
self
end

# TODO: remove attr_accessible once protected_attributes_continued gem is removed
attr_accessible :type, :value, :account, :tenant_id

belongs_to :account, inverse_of: :account_settings

audited associated_with: :account
Expand Down
2 changes: 1 addition & 1 deletion app/models/cms/template.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ def current

def build_version(attrs = {})
version = versions.build
version.assign_attributes(version_attributes.merge(attrs), :without_protection => true)
version.assign_attributes(version_attributes.merge(attrs))
version
end

Expand Down
6 changes: 2 additions & 4 deletions app/models/cms/template/version.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,8 @@ def diff(other)
end

def revert_attributes
accessible = template.class.accessible_attributes.delete('draft').add('updated_at').add('updated_by')

accessible << state.to_s
attributes.slice *accessible
accessible = [:updated_at, :updated_by, state.to_s]
Copy link
Copy Markdown
Contributor Author

@mayorova mayorova Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't remember how exactly I came up with this replacement, but I think it was just debugging and checking what fields were actually available there.

Copy link
Copy Markdown
Contributor

@jlledom jlledom Apr 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to Claude, I broke this method in this commit: 33b70d3

However, after my changes it was effectively doing the same you do in this commit, just returning [:updated_at, :updated_by, state.to_s].

So I guess:

  1. Either versioning was broke and nobody noticed
  2. This worked by coincidence

There are no tests for Template#revert_to or Version#revert_attributes. So if I broke something there were no tests to catch the regression. There's a cucumber about template versioning which passed, though.

Copy link
Copy Markdown
Contributor Author

@mayorova mayorova Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm... I don't see changes to that file in the commit you mentioned 🤔

Copy link
Copy Markdown
Contributor

@jlledom jlledom Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In that commit, I removed the protected attributes for the Template model:

- attr_accessible :provider, :draft, :liquid_enabled, :handler

After that change, template.class.accessible_attributes returned nothing, so the end result was equivalent to [:updated_at, :updated_by, state.to_s]

Copy link
Copy Markdown
Contributor Author

@mayorova mayorova Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I, I see, right, thank you for the explanation!

Yeah, it rings a bell now, indeed, that accessible_attributes was returning an empty array.

Copy link
Copy Markdown
Contributor

@jlledom jlledom Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think the versioning feature is working fine? didn't I break it?

Copy link
Copy Markdown
Contributor Author

@mayorova mayorova Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I tried, it seemed to be doing the right thing.

Copy link
Copy Markdown
Contributor

@jlledom jlledom Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A good engineer knows how to make mistakes!

attributes.slice(*accessible)
end

end
2 changes: 1 addition & 1 deletion app/models/contract.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ class Contract < ApplicationRecord
# https://github.com/collectiveidea/audited/blob/f03c5b5d1717f2ebec64032d269316dc74476056/lib/audited/auditor.rb#L305-L311
self.table_name = 'cinstances'

audited allow_mass_assignment: true
audited

# FIXME: This class should be an abstract class I think, but doing so makes plenty of tests fail
# self.abstract_class = true
Expand Down
2 changes: 1 addition & 1 deletion app/models/feature.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ class Feature < ApplicationRecord

self.background_deletion = [:features_plans]

audited :allow_mass_assignment => true
audited

#TODO: these need tests
#OPTIMIZE subclassing a better solution for these 2
Expand Down
2 changes: 1 addition & 1 deletion app/models/finance/billing_strategy.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ class << self
prepend NonAuditedColumns
end

audited :allow_mass_assignment => true
audited

attr_reader :failed_buyers

Expand Down
2 changes: 1 addition & 1 deletion app/models/invoice.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ class Invoice < ApplicationRecord
enum creation_type: {manual: 'manual', background: 'background'}

include AfterCommitQueue
audited :allow_mass_assignment => true
audited
has_associated_audits

class InvalidInvoiceStateException < RuntimeError; end
Expand Down
2 changes: 1 addition & 1 deletion app/models/line_item.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ class LineItem < ApplicationRecord
belongs_to :contract, polymorphic: true
belongs_to :metric, inverse_of: :line_items

audited associated_with: :invoice, allow_mass_assignment: true
audited associated_with: :invoice

validates :name, :description, :type, :contract_type, length: { maximum: 255 }
validates :type, inclusion: {in: [LineItem::PlanCost, LineItem::VariableCost].flat_map { |klass| [klass, klass.to_s]}, allow_blank: true}
Expand Down
15 changes: 8 additions & 7 deletions app/models/mail_dispatch_rule.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,15 @@ def self.fetch_with_retry!(options, &block)
retries = 0

begin
MailDispatchRule.find_or_create_by!(options, &block)
# Use find_by + create! directly to avoid transaction wrapper from create_or_find_by!
# This preserves the old behavior from protected_attributes_continued gem
# where records created in the block are committed even if the outer create fails
find_by(options) || create!(options, &block)
Copy link
Copy Markdown
Contributor Author

@mayorova mayorova Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure whether this is the right thing to do...

This is basically keeping the old behavior.

The test that is failing without it is:

  def test_fetch_with_retry
    expected = nil
    rule = MailDispatchRule.fetch_with_retry!(account_id: 1, system_operation_id: 1) do |rule|
      expected = rule.dup
      expected.save!
    end

    assert_equal expected , rule
  end

It verifies (how I understand it) that if a race condition occurs when creating MailDispatchRule twiche with the same attributes, .fetch_with_retry! will still successfully create just a single object.

With no code change, the test fails with the error:

Couldn't find MailDispatchRule with [WHERE `mail_dispatch_rules`.`account_id` = ? AND `mail_dispatch_rules`.`system_operation_id` = ? AND `mail_dispatch_rules`.`account_id` = ? AND `mail_dispatch_rules`.`system_operation_id` = ?]
/opt/ci/workdir/vendor/bundle/ruby/3.3.0/gems/activerecord-7.1.5.2/lib/active_record/relation/finder_methods.rb:413:in `raise_record_not_found_exception!'
/opt/ci/workdir/vendor/bundle/ruby/3.3.0/gems/activerecord-7.1.5.2/lib/active_record/relation/finder_methods.rb:127:in `take!'
/opt/ci/workdir/vendor/bundle/ruby/3.3.0/gems/activerecord-7.1.5.2/lib/active_record/relation/finder_methods.rb:110:in `find_by!'
/opt/ci/workdir/vendor/bundle/ruby/3.3.0/gems/activerecord-7.1.5.2/lib/active_record/relation.rb:232:in `rescue in create_or_find_by!'
/opt/ci/workdir/vendor/bundle/ruby/3.3.0/gems/activerecord-7.1.5.2/lib/active_record/relation.rb:228:in `create_or_find_by!'
/opt/ci/workdir/vendor/bundle/ruby/3.3.0/gems/activerecord-7.1.5.2/lib/active_record/relation.rb:183:in `find_or_create_by!'
/opt/ci/workdir/vendor/bundle/ruby/3.3.0/gems/activerecord-7.1.5.2/lib/active_record/querying.rb:23:in `find_or_create_by!'
/opt/ci/workdir/app/models/mail_dispatch_rule.rb:13:in `fetch_with_retry!'
/opt/ci/workdir/test/unit/mail_dispatch_rule_test.rb:7:in `test_fetch_with_retry'

So, with protected_attributes_continued gem, there was this code:

def find_or_create_by!(attributes, options = {}, &block)
  find_by(attributes.respond_to?(:to_unsafe_h) ? attributes.to_unsafe_h : attributes) || create!(attributes, options, &block)
end

With the gem removed, the ActiveRecord method is being called directly:

def find_or_create_by!(attributes, &block)
  find_by(attributes) || create_or_find_by!(attributes, &block)
end

create_or_find_by! wraps the createion in a transaction, so if anything fails within it, all created objects get rolled back.
So, apparently, ActiveRecord::RecordNotUnique is raised, and then find_by! fails with ActiveRecord::RecordNotFound, which is what the test detects.

Copy link
Copy Markdown
Contributor Author

@mayorova mayorova Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, honestly, my feeling is that it's that the test doesn't represent what would be happening in the production code. If the object is created in two different places, then Rails' standard find_or_create_by! should just handle it.

So, we probably don't need this loop, and the race condition simulation should be done in a different way.

However, I don't want to risk it, because I don't quite understand the possible use case, so I decided to just keep the previous behavior.

Copy link
Copy Markdown
Contributor

@jlledom jlledom Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think MailDispatchRule is dead code after I migrated to the new notification system. I checked and fetch_with_retry! is not called from anywhere in our codebase.

I don't remember all details now, but I think any changes there will not have any effect.

Copy link
Copy Markdown
Contributor

@jlledom jlledom Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found this: https://redhat.atlassian.net/browse/THREESCALE-11825

Copy link
Copy Markdown
Contributor Author

@mayorova mayorova Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good, thank you for the info!

Copy link
Copy Markdown
Contributor

@akostadinov akostadinov May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we remove the class then? No need for a migration, we can add the migration in the JIRA. But why keep this code at all?

rescue ActiveRecord::RecordNotUnique
if retries > 10
raise
else
retries += 1
retry
end
raise if retries > 10

retries += 1
retry
end
end
end
2 changes: 1 addition & 1 deletion app/models/metric.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ class Metric < ApplicationRecord

has_many :proxy_rules, :dependent => :destroy, inverse_of: :metric

audited :allow_mass_assignment => true
audited
has_system_name uniqueness_scope: %i[owner_type owner_id], human_name: :friendly_name

acts_as_tree
Expand Down
2 changes: 1 addition & 1 deletion app/models/payment_detail.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ class PaymentDetail < ApplicationRecord

belongs_to :account

audited allow_mass_assignment: true
audited

validates :credit_card_partial_number, length: { :maximum => 4,
:allow_blank => true,
Expand Down
2 changes: 1 addition & 1 deletion app/models/plan.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ class PeriodRangeCalculationError < StandardError; end

has_system_name :uniqueness_scope => [ :type, :issuer_id, :issuer_type ]

audited :allow_mass_assignment => true
audited
acts_as_list scope: %i[issuer_id issuer_type]

# There is a race condition here, the record gets deleted but the callbacks were not triggered yet
Expand Down
2 changes: 1 addition & 1 deletion app/models/pricing_rule.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
class PricingRule < ApplicationRecord
DECIMALS = 4
audited :allow_mass_assignment => true
audited

belongs_to :plan
belongs_to :metric
Expand Down
2 changes: 1 addition & 1 deletion app/models/provider_constraints.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
class ProviderConstraints < ApplicationRecord
NO_LIMIT = Float::INFINITY

audited allow_mass_assignment: true
audited

belongs_to :provider, class_name: 'Account'

Expand Down
6 changes: 3 additions & 3 deletions app/models/settings.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ class Settings < ApplicationRecord
include Symbolize
belongs_to :account, inverse_of: :settings

audited allow_mass_assignment: true
audited

validates :product, inclusion: { in: %w[connect enterprise].freeze }
validates :change_account_plan_permission, :change_service_plan_permission, inclusion: { in: %w[request none credit_card request_credit_card direct].freeze }
Expand Down Expand Up @@ -37,8 +37,8 @@ def approval_required_disabled?
not_custom_account_plans.size > 1 && account_plans_ui_visible?
end

def assign_attributes(attrs, options = {})
super(sanitize_attributes(attrs), options)
def assign_attributes(attrs)
super(sanitize_attributes(attrs))
end

def update(attrs)
Expand Down
2 changes: 1 addition & 1 deletion app/services/finance/stripe_payment_intent_update_service.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,6 @@ def create_payment_transaction
params: source_object
}

payment_transactions.create(attributes, without_protection: true)
payment_transactions.create(attributes)
end
end
2 changes: 1 addition & 1 deletion app/services/service_discovery/import_cluster_definitions_service.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ def import_cluster_active_docs_to(service)
end

def build_api_doc_service(service)
service.api_docs_services.build({ name: cluster_service.name, published: true, discovered: true }, without_protection: true)
service.api_docs_services.build(name: cluster_service.name, published: true, discovered: true)
end

def valid_cluster_service_spec?(service)
Expand Down
2 changes: 1 addition & 1 deletion app/workers/audited_worker.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ class AuditedWorker

def perform(attributes)
audit = Audited.audit_class.new
audit.assign_attributes(attributes, without_protection: true) # Rails 4 can remove the option
audit.assign_attributes(attributes)
audit.save!
end
end
2 changes: 1 addition & 1 deletion app/workers/backend_delete_service_worker.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ def perform(event_id)
event = EventStore::Repository.find_event!(event_id)
service_id = event.service_id
ThreeScale::Core::Service.delete_stats(service_id, {})
service = Service.new({id: service_id}, without_protection: true)
service = Service.new(id: service_id)
service.delete_backend_service
rescue ActiveRecord::RecordNotFound => exception
System::ErrorReporting.report_error(exception, parameters: {event_id: event_id})
Expand Down
2 changes: 0 additions & 2 deletions config/application.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,8 +131,6 @@ def try_config_for(*args)

config.logger = ActiveSupport::TaggedLogging.new(ActiveSupport::Logger.new(STDOUT)) if ENV['RAILS_LOG_TO_STDOUT'].present?

config.active_record.whitelist_attributes = false

config.boot_time = Time.now

# Configuration for the application, engines, and railties goes here.
Expand Down
Loading