Fix strong param checks so they can handle dynamic wizard fields

controllers/steps.rb

@@ -2,8 +2,15 @@ class CustomWizard::StepsController < ApplicationController
   before_action :ensure_logged_in
 
   def update
+    params.require(:step_id)
+    params.require(:wizard_id)
     field_ids = CustomWizard::Wizard.field_ids(params[:wizard_id], params[:step_id])
-    permitted = params.permit(:step_id, :wizard_id, fields: field_ids.map(&:to_sym)) if field_ids.present?
+
+    permitted = params.permit(:wizard_id, :step_id)
+    if params[:fields]
+      permitted[:fields] = params[:fields].select { |k, v| field_ids.include? k }
+      permitted.permit!
+    end
 
     wizard = CustomWizard::Builder.new(current_user, permitted[:wizard_id].underscore).build
     updater = wizard.create_updater(permitted[:step_id], permitted[:fields])

lib/builder.rb

@@ -219,7 +219,6 @@ class CustomWizard::Builder
                   a['profile_updates'].each do |pu|
                     attributes[pu['value'].to_sym] = data[pu['key']]
                   end
-                  puts "UPDATING WITH: #{attributes}"
                   user_updater.update(attributes) if attributes.present?
                 end
               end

lib/wizard.rb

@@ -122,17 +122,18 @@ class CustomWizard::Wizard
 
   def self.step_ids(wizard_id)
     steps = self.steps(wizard_id)
-    steps.map { |s| s['id'] }.flatten.uniq if steps
+    return [] if !steps
+    steps.map { |s| s['id'] }.flatten.uniq
   end
 
   def self.field_ids(wizard_id, step_id)
     steps = self.steps(wizard_id)
-    return nil if !steps
+    return [] if !steps
     step = steps.select { |s| s['id'] === step_id }.first
     if step && fields = step['fields']
       fields.map { |f| f['id'] }
     else
-      nil
+      []
     end
   end
 end