Rails params: where did _json come from, and how do I whitelist it's contents?

Question

I am writing a Rails API and attempting to create multiple records at the same time by passing a JSON array into the controller, like this:

[
    {
        "workflow_id": 1,
        "action": "Some Other Action",
        "order": 2,
        "notes": null
    },
    {
        "workflow_id": 1,
        "action": "Some Action",
        "order": 1,
        "notes": null
    }
]

When I view the parameters coming into the controller, this is what I see:

<ActionController::Parameters {"_json"=>[{"workflow_id"=>1, "action"=>"Some Other Action", "order"=>2, "notes"=>nil}, {"workflow_id"=>1, "action"=>"Some Action", "order"=>1, "notes"=>nil}], "controller"=>"workflow_steps", "action"=>"update", "workflow_id"=>"1", "workflow_step"=>{}} permitted: false>

First of all, I'm unfamiliar with _json. Is this a Rails convention for when an array is passed in? I could not find any documentation on it.

Second, When I try this: WorkflowStep.create(params[:_json]) I get the expected ForbiddenAttributesError. But, I cannot figure out how to properly whitelist the json objects in my array. I've tried these:

params.require(:_json).permit(_json: [:workflow_id, :action, :notes, :order])
params.permit(_json: [:workflow_id, :action, :notes, :order])

But I get this error: undefined method permit' for #Array:0x00007ffdeb0f8188`

I am unsure how to proceed. Thank you.

Answer 1

params.require(:_json) returns an array of ActionController::Parameters objects so you can whitelist using the code below:

params.require(:_json).map do |param| 
  param.permit(:workflow_id, :action, :order, :notes).to_h
end