Convert params.permit to params.expect

Use params[:id] for params in path

app/controllers/api/v1/api_keys_controller.rb

@@ -86,7 +86,7 @@ def otp
   end
 
   def key_param
-    params.permit(:api_key).require(:api_key)
+    params.expect(:api_key)
   end
 
   def api_key_create_params

app/controllers/api/v1/deletions_controller.rb

@@ -36,7 +36,7 @@ def validate_gem_and_version
       render_forbidden response_with_mfa_warning("You do not have permission to delete this gem.")
     else
       begin
-        version = params.permit(:version).require(:version)
+        version = params.expect(:version)
         platform = params.permit(:platform).fetch(:platform, nil)
         @version = @rubygem.find_version!(number: version, platform: platform)
       rescue ActiveRecord::RecordNotFound

app/controllers/api/v1/github_secret_scanning_controller.rb

@@ -24,7 +24,7 @@ def revoke
     return render plain: "Can't fetch public key from GitHub", status: :unauthorized if key.empty_public_key?
     return render plain: "Invalid GitHub Signature", status: :unauthorized unless key.valid_github_signature?(signature, request.body.read.chomp)
 
-    tokens = params.permit(_json: %i[token type url]).require(:_json).index_by { |t| hashed_key(t.require(:token)) }
+    tokens = params.expect(_json: %i[token type url]).index_by { |t| hashed_key(t.require(:token)) }
     api_keys = ApiKey.where(hashed_key: tokens.keys).index_by(&:hashed_key)
     resp = tokens.map do |hashed_key, t|
       api_key = api_keys[hashed_key]

app/controllers/api/v1/hook_relay_controller.rb

@@ -22,7 +22,7 @@ def hook_relay_report_params
   end
 
   def authenticate_hook_relay_report
-    account_id, hook_id = params.permit(%i[account_id hook_id]).require(%i[account_id hook_id])
+    account_id, hook_id = params.expect(%i[account_id hook_id])
 
     ActiveSupport::SecureCompareRotator.new(ENV.fetch("HOOK_RELAY_ACCOUNT_ID", "")).secure_compare!(account_id)
     ActiveSupport::SecureCompareRotator.new(ENV.fetch("HOOK_RELAY_HOOK_ID", "")).secure_compare!(hook_id)

app/controllers/api/v1/oidc/api_key_roles_controller.rb

@@ -26,7 +26,7 @@ def index
   end
 
   def show
-    render json: @api_key.user.oidc_api_key_roles.find_by!(token: params.permit(:token).require(:token))
+    render json: @api_key.user.oidc_api_key_roles.find_by!(token: params.expect(:token))
   end
 
   def assume_role
@@ -60,7 +60,7 @@ def assume_role
   private
 
   def set_api_key_role
-    @api_key_role = OIDC::ApiKeyRole.active.find_by!(token: params.permit(:token).require(:token))
+    @api_key_role = OIDC::ApiKeyRole.active.find_by!(token: params.expect(:token))
     @provider = @api_key_role.provider
   end
 

app/controllers/api/v1/oidc/id_tokens_controller.rb

@@ -7,6 +7,6 @@ def index
   end
 
   def show
-    render json: @api_key.user.oidc_id_tokens.find(params.permit(:id).require(:id))
+    render json: @api_key.user.oidc_id_tokens.find(params[:id])
   end
 end

app/controllers/api/v1/oidc/providers_controller.rb

@@ -7,6 +7,6 @@ def index
   end
 
   def show
-    render json: OIDC::Provider.find(params.permit(:id).require(:id))
+    render json: OIDC::Provider.find(params[:id])
   end
 end

app/controllers/api/v1/oidc/rubygem_trusted_publishers_controller.rb

@@ -39,11 +39,11 @@ def find_rubygem
   end
 
   def find_rubygem_trusted_publisher
-    @rubygem_trusted_publisher = @rubygem.oidc_rubygem_trusted_publishers.find(params.permit(:id).require(:id))
+    @rubygem_trusted_publisher = @rubygem.oidc_rubygem_trusted_publishers.find(params[:id])
   end
 
   def set_trusted_publisher_type
-    trusted_publisher_type = params.permit(:trusted_publisher_type).require(:trusted_publisher_type)
+    trusted_publisher_type = params.expect(:trusted_publisher_type)
 
     @trusted_publisher_type = OIDC::TrustedPublisher.all.find { |type| type.polymorphic_name == trusted_publisher_type }
 

app/controllers/api/v1/owners_controller.rb

@@ -77,7 +77,7 @@ def render_not_found
   end
 
   def email_param
-    params.permit(:email).require(:email)
+    params.expect(:email)
   end
 
   def ownership_params

app/controllers/api/v1/rubygems_controller.rb

@@ -36,7 +36,7 @@ def create
 
     gem_body = attestations = nil
     if %w[multipart/form-data multipart/mixed].include?(request.media_type)
-      gem_body = params.permit(:gem).require(:gem)
+      gem_body = params.expect(:gem)
       return render_bad_request("gem is not a file upload") unless gem_body.is_a?(ActionDispatch::Http::UploadedFile)
       return render_bad_request("missing attestations") unless (attestations = params[:attestations]).is_a?(String)
       attestations = ActiveSupport::JSON.decode(attestations)

app/controllers/api/v1/searches_controller.rb

@@ -29,6 +29,6 @@ def search_not_available_error(error)
   end
 
   def query_params
-    params.permit(:query).require(:query)
+    params.expect(:query)
   end
 end

app/controllers/api/v1/timeframe_versions_controller.rb

@@ -24,7 +24,7 @@ def ensure_valid_timerange
   end
 
   def from_time
-    @from_time ||= Time.iso8601(params.permit(:from).require(:from))
+    @from_time ||= Time.iso8601(params.expect(:from))
   rescue ArgumentError
     raise InvalidTimeframeParameterError, "the from parameter must be iso8601 formatted"
   end

app/controllers/api_keys_controller.rb

@@ -18,7 +18,7 @@ def new
   end
 
   def edit
-    @api_key = current_user.api_keys.find(params.permit(:id).require(:id))
+    @api_key = current_user.api_keys.find(params[:id])
     return unless @api_key.soft_deleted?
 
     flash[:error] = t(".invalid_key")
@@ -48,7 +48,7 @@ def create
   end
 
   def update
-    @api_key = current_user.api_keys.find(params.permit(:id).require(:id))
+    @api_key = current_user.api_keys.find(params[:id])
     @api_key.assign_attributes(api_key_update_params(@api_key))
 
     if @api_key.errors.present?
@@ -65,7 +65,7 @@ def update
   end
 
   def destroy
-    api_key = current_user.api_keys.find(params.permit(:id).require(:id))
+    api_key = current_user.api_keys.find(params[:id])
 
     if api_key.expire!
       flash[:notice] = t(".success", name: api_key.name)
@@ -93,19 +93,19 @@ def verify_session_redirect_path
     when "create"
       new_profile_api_key_path
     when "update"
-      edit_profile_api_key_path(params.permit(:id).require(:id))
+      edit_profile_api_key_path(params[:id])
     else
       super
     end
   end
 
   def api_key_create_params
-    ApiKeysHelper.api_key_params(params.permit(api_key: [:name, *ApiKey::API_SCOPES, :mfa, :rubygem_id, :expires_at]).require(:api_key))
+    ApiKeysHelper.api_key_params(params.expect(api_key: [:name, *ApiKey::API_SCOPES, :mfa, :rubygem_id, :expires_at]))
   end
 
   def api_key_update_params(existing_api_key = nil)
     ApiKeysHelper.api_key_params(
-      params.permit(api_key: [*ApiKey::API_SCOPES, :mfa, :rubygem_id, { scopes: [ApiKey::API_SCOPES] }]).require(:api_key), existing_api_key
+      params.expect(api_key: [*ApiKey::API_SCOPES, :mfa, :rubygem_id, { scopes: [ApiKey::API_SCOPES] }]), existing_api_key
     )
   end
 end

app/controllers/concerns/jwt_validation.rb

@@ -21,7 +21,7 @@ def jwt_key_or_secret
   end
 
   def decode_jwt
-    @jwt = JSON::JWT.decode_compact_serialized(params.permit(:jwt).require(:jwt), jwt_key_or_secret)
+    @jwt = JSON::JWT.decode_compact_serialized(params.expect(:jwt), jwt_key_or_secret)
   rescue JSON::JWT::InvalidFormat, JSON::ParserError, ArgumentError => e
     # invalid base64 raises ArgumentError
     render_bad_request(e)

app/controllers/concerns/latest_version.rb

@@ -7,7 +7,7 @@ def latest_version
     end
 
     def latest_version_by_slug
-      @latest_version = @rubygem.find_version_by_slug!(params.permit(:version_id).require(:version_id))
+      @latest_version = @rubygem.find_version_by_slug!(params.expect(:version_id))
     end
   end
 end

app/controllers/concerns/webauthn_verifiable.rb

@@ -64,7 +64,7 @@ def challenge
   end
 
   def credential_params
-    params.permit(credentials: PERMITTED_CREDENTIALS).require(:credentials)
+    params.expect(credentials: PERMITTED_CREDENTIALS)
   end
 
   PERMITTED_CREDENTIALS = [

app/controllers/email_confirmations_controller.rb

@@ -72,11 +72,11 @@ def confirm_email
   end
 
   def email_params
-    params.permit(email_confirmation: :email).require(:email_confirmation).require(:email)
+    params.expect(email_confirmation: :email).require(:email)
   end
 
   def token_params
-    params.permit(:token).require(:token)
+    params.expect(:token)
   end
 
   def login_failure(message)

app/controllers/multifactor_auths_controller.rb

@@ -42,7 +42,7 @@ def recovery
   private
 
   def level_param
-    params.permit(:level).require(:level)
+    params.expect(:level)
   end
 
   def issuer

app/controllers/notifiers_controller.rb

@@ -25,7 +25,7 @@ def update
   private
 
   def notifier_params
-    params.permit(ownerships: %i[push owner ownership_request]).require(:ownerships)
+    params.expect(ownerships: %i[push owner ownership_request])
   end
 
   def notifier_options(param)

app/controllers/oauth_controller.rb

@@ -18,7 +18,7 @@ def create
   end
 
   def failure
-    render_forbidden params.permit(:message).require(:message)
+    render_forbidden params.expect(:message)
   end
 
   def development_log_in_as

app/controllers/oidc/api_key_roles_controller.rb

@@ -103,7 +103,7 @@ def verify_session_redirect_path
   def find_api_key_role
     @api_key_role = current_user.oidc_api_key_roles
       .includes(:provider)
-      .find_by!(token: params.permit(:token).require(:token))
+      .find_by!(token: params.expect(:token))
   end
 
   def redirect_for_deleted
@@ -125,7 +125,7 @@ def redirect_for_deleted
   ].freeze
 
   def api_key_role_params
-    params.permit(oidc_api_key_role: PERMITTED_API_KEY_ROLE_PARAMS).require(:oidc_api_key_role)
+    params.expect(oidc_api_key_role: PERMITTED_API_KEY_ROLE_PARAMS)
   end
 
   def add_default_params(rubygem, statement, condition)

app/controllers/oidc/concerns/trusted_publisher_creation.rb

@@ -11,7 +11,7 @@ module OIDC::Concerns::TrustedPublisherCreation
   end
 
   def set_trusted_publisher_type
-    trusted_publisher_type = params.permit(create_params_key => :trusted_publisher_type).require(create_params_key).require(:trusted_publisher_type)
+    trusted_publisher_type = params.expect(create_params_key => :trusted_publisher_type).require(:trusted_publisher_type)
 
     @trusted_publisher_type = OIDC::TrustedPublisher.all.find { |type| type.polymorphic_name == trusted_publisher_type }
 

app/controllers/oidc/id_tokens_controller.rb

@@ -23,6 +23,6 @@ def show
   private
 
   def find_id_token
-    @id_token = current_user.oidc_id_tokens.find(params.permit(:id).require(:id))
+    @id_token = current_user.oidc_id_tokens.find(params[:id])
   end
 end

app/controllers/oidc/pending_trusted_publishers_controller.rb

@@ -60,6 +60,6 @@ def create_params
   def create_params_key = :oidc_pending_trusted_publisher
 
   def find_pending_trusted_publisher
-    @pending_trusted_publisher = authorize current_user.oidc_pending_trusted_publishers.find(params.permit(:id).require(:id))
+    @pending_trusted_publisher = authorize current_user.oidc_pending_trusted_publishers.find(params[:id])
   end
 end

app/controllers/oidc/providers_controller.rb

@@ -19,6 +19,6 @@ def show
   private
 
   def find_provider
-    @provider = OIDC::Provider.find(params.permit(:id).require(:id))
+    @provider = OIDC::Provider.find(params[:id])
   end
 end

app/controllers/oidc/rubygem_trusted_publishers_controller.rb

@@ -57,7 +57,7 @@ def find_rubygem
   end
 
   def find_rubygem_trusted_publisher
-    @rubygem_trusted_publisher = authorize @rubygem.oidc_rubygem_trusted_publishers.find(params.permit(:id).require(:id))
+    @rubygem_trusted_publisher = authorize @rubygem.oidc_rubygem_trusted_publishers.find(params[:id])
   end
 
   def gh_actions_trusted_publisher

app/controllers/organizations_controller.rb

@@ -46,10 +46,10 @@ def update
   private
 
   def find_organization
-    @organization = Organization.find_by_handle!(params.permit(:id).require(:id))
+    @organization = Organization.find_by_handle!(params[:id])
   end
 
   def organization_params
-    params.permit(organization: [:name]).require(:organization)
+    params.expect(organization: [:name])
   end
 end

app/controllers/owners_controller.rb

@@ -90,11 +90,11 @@ def find_ownership
   end
 
   def token_params
-    params.permit(:token).require(:token)
+    params.expect(:token)
   end
 
   def handle_params
-    params.permit(:handle).require(:handle)
+    params.expect(:handle)
   end
 
   def update_params

app/controllers/ownership_requests_controller.rb

@@ -26,7 +26,7 @@ def create
   def update
     @ownership_request = OwnershipRequest.find(params[:id])
 
-    case params.permit(:status).require(:status)
+    case params.expect(:status)
     when "close" then close
     when "approve" then approve
     else redirect_try_again

app/controllers/pages_controller.rb

@@ -11,7 +11,7 @@ def show
   private
 
   def find_page
-    id = params.permit(:id).require(:id)
+    id = params[:id]
     raise ActionController::RoutingError, "Page not found" unless Gemcutter::PAGES.include?(id)
     @page = id
   end

app/controllers/passwords_controller.rb

@@ -94,7 +94,7 @@ def delete_password_reset_session
   end
 
   def reset_params
-    params.permit(password_reset: %i[password reset_api_key reset_api_keys]).require(:password_reset)
+    params.expect(password_reset: %i[password reset_api_key reset_api_keys])
   end
 
   def mfa_failure(message)

app/controllers/profiles_controller.rb

@@ -61,15 +61,15 @@ def security_events
   private
 
   def params_user
-    params.permit(user: PERMITTED_PROFILE_PARAMS).require(:user).tap do |hash|
+    params.expect(user: PERMITTED_PROFILE_PARAMS).tap do |hash|
       hash.delete(:unconfirmed_email) if hash[:unconfirmed_email] == current_user.email
     end
   end
 
   PERMITTED_PROFILE_PARAMS = %i[handle twitter_username unconfirmed_email public_email full_name].freeze
 
   def verify_password
-    password = params.permit(user: :password).require(:user)[:password]
+    password = params.expect(user: :password)[:password]
     return if current_user.authenticated?(password)
     redirect_to edit_profile_path, notice: t("profiles.request_denied")
   end

app/controllers/sendgrid_events_controller.rb

@@ -31,6 +31,6 @@ def create
   def events_params
     # SendGrid send a JSON array of 1+ events. Each event is a JSON object, see docs:
     # https://sendgrid.com/docs/for-developers/tracking-events/event/
-    params.permit(_json: SENDGRID_EVENT_ATTRIBUTES).require(:_json)
+    params.expect(_json: SENDGRID_EVENT_ATTRIBUTES)
   end
 end