Make authorize_param support non-array path segments

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 1.5.8 (2024-09-11)
+
+* Also allow single path segments as symbols instead of array for
+  `authorize_param`'s `path` argument. Before, paths that were not arrays would
+  lead to the param authorization being ignored silently.
+
+  Internal reference: `#128987`.
+
 ## 1.5.7 (2024-08-22)
 
 * Fix compatibility issue with older versions of Rails introduced in version

lib/rails_ops/mixins/param_authorization.rb

@@ -29,6 +29,8 @@ module ClassMethods
     #   authorization backend. The block receives no arguments and is executed
     #   in context of the operation instance.
     def authorize_param(path, action = nil, *args, &block)
+      path = Array(path)
+
       # Validate parameters
       if block_given? && (action || args.any?)
         fail ArgumentError,

test/unit/rails_ops/mixins/param_authorization_test.rb

@@ -42,6 +42,41 @@ def perform
     end
   end
 
+  def test_without_array
+    @op = Class.new(RailsOps::Operation::Model::Load) do
+      schema3 do
+        int! :id
+        str? :foo
+        hsh? :bar do
+          str? :baz
+        end
+      end
+
+      model ::Group
+
+      authorize_param :foo, :foo, :subject_1
+      authorize_param :bar, :bar, :subject_1
+
+      def perform
+        # Do nothing
+      end
+    end
+
+    ctx = RailsOps::Context.new(ability: Ability.new)
+
+    assert_raises CanCan::AccessDenied do
+      @op.run!(ctx, id: 1, foo: 'bar')
+    end
+
+    assert_raises CanCan::AccessDenied do
+      @op.run!(ctx, id: 1, bar: {})
+    end
+
+    assert_raises CanCan::AccessDenied do
+      @op.run!(ctx, id: 1, bar: { baz: 'baz' })
+    end
+  end
+
   def test_without_ability
     @op.run!(id: 1)
   end