Updated massage-params to use params when form-params are not present.

src/adl_support/core.clj

@@ -70,28 +70,32 @@
 (defn raw-massage-params
   "Sending empty strings, or numbers as strings, to the database often isn't
   helpful. Massage these `params` and `form-params` to eliminate these problems.
-  We must take key field values out of just params, but we should take all other
+  We must take key field values out of just params, but if form-params are present
-  values out of form-params - because we need the key to load the form in
+  we should take all other values out of form-params - because we need the key to
-  the first place, but just accepting values of other params would allow spoofing."
+  load the form in the first place. `form-params` always override `params`"
   ([params form-params key-fields]
    (let
-         [ks (set (map keyword key-fields))]
+     [ks (set (map keyword key-fields))
-         (reduce
+      p (reduce
-           merge
-           ;; do the keyfields first, from params
-           (reduce
          merge
          {}
          (map
           #(massage-value % params)
           (filter
            #(ks (keyword %))
-                 (keys params))))
+           (keys params))))]
+     (if
+       (empty? form-params)
+       p
+       (reduce
+        merge
+        ;; do the keyfields first, from params
+        p
         ;; then merge in everything from form-params, potentially overriding what
         ;; we got from params.
         (map
          #(massage-value % form-params)
-             (keys form-params)))))
+         (keys form-params))))))
   ([request key-fields]
    (raw-massage-params (:params request) (:form-params request) key-fields))
   ([request]