In a JSON API Controller, I use a before_action to check if any key of params is not allowed for that action and respond with a 400 error in case any of the given keys are not allowed.
However, simply iterating over params also yields action, controller and format.
Hardcoding these as “always allowed” seems clumsy and I don’t know the list to be complete.
Is there a way to iterate only user-provided GET and POST params?
Is that pollution of params some kind of legacy garbage? We have action_name, controller_name and request.format for the above three.