Recently I was experiencing a problem with a Rails API where I would update a model with new attributes, and then proceeded to add the new attributes to the model's factory, and then add the corresponding model and request specs.
The problem was that I would forget to whitelist the new attributes in the controller. Then running the request specs would not detect the error since I only test against one updated attribute that was whitelisted long ago. This became really annoying since I had no way to know if the new attributes were being whitelisted or not, and my tests weren't saying anything about it. This problem becomes even more apparent when the list of whitelisted attributes starts becoming very long.
In an API following the JSON API specification, here is an example of how the strong parameters method would look like:
def thing_params params.require(:data).require(:attributes).permit(:color, :size, :age, :name, :owner, :origin, :location, :purpose, :price, :alive) end
As you can see, the list of attributes is getting pretty long. And we do not want to explicitly keep adding more attributes to the test.
Testing Strong Parameters in Controller Specs
After the release of Rails 5 I started ditching controller specs in favor of request specs. I like this approach and I think it's great, but I think it would be too much unecessary work to test that all the necessary attributes are whitelisted, in the request spec. Therefore I proceeded to create very simple controller specs that would test that all attributes of importance are whitelisted in the controller.