已经被困了好几天了。任何帮助都将非常感激。我有一个表单,它发送一个艺术家的名字给一个创建控制器。create控制器创建具有该名称的艺术家,为该艺术家分配用户,并创建艺术家布局。我想我已经为强参数宝石添加了正确的白名单,但是我得到了下面的错误。
错误:ActiveModel::ForbiddenAttributes in ArtistsController#create
ActiveModel::ForbiddenAttributes
Rails.root: /sites/music3
Application Trace | Framework Trace | Full Trace
Request
Parameters:
{"utf8"=>"✓",
"authenticity_token"=>"xxxxxxxxxxxxxxxxxxxxxx",
"artist"=>{"name"=>"kkkk"},
"commit"=>"Create Artist"}
Show session dump
Show env dump
Response
Headers:
控制器def create
@artist = Artist.new(artist_create_params)
#assigns User
@user = current_user
@artist.users << @user
@form = render_to_string('artists/_form',:layout => false)
#creates and assigns layout
@artist.profile_layout = ProfileLayout.new
respond_to do |format|
if @artist.update_attributes(artist_create_params)
format.html { redirect_to(edit_artist_path(@artist.url_slug)) }
format.xml { render :xml => @artist, :status => :created, :location => @artist }
else
format.html { render :action => "new" }
format.xml { render :xml => @artist.errors, :status => :unprocessable_entity }
end
end
end
def artist_create_params
#Using `strong_parameters` gem
params.required(:commit).permit!
params.required(:artist).permit!
end
我允许所有参数通过(参数!),因为我试图确定抛出错误的原因。然而,我想白名单特定参数一旦我弄清楚问题是什么。
强参数在其他地方也起作用。这只会给我制造麻烦。如有任何帮助,不胜感激
提前感谢。Ted。
更新:
初始化:
ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)
改为
def artist_create_params
# NOTE: Using `strong_parameters` gem
params.require(:artist).permit(:name)
end
仍然高于错误。不显示发生错误的行。见下文
Started POST "/artists" for 127.0.0.1 at 2014-06-04 19:10:27 -0400
Processing by ArtistsController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"xxxxxxxxxxxxx", "artist"=>{"name"=>"ffasdf"}, "commit"=>"Create Artist"}
Completed 500 Internal Server Error in 8ms
ActiveModel::ForbiddenAttributes (ActiveModel::ForbiddenAttributes):
strong_parameters (0.2.3) lib/active_model/forbidden_attributes_protection.rb:11:in `sanitize_for_mass_assignment'
activerecord (3.2.11) lib/active_record/attribute_assignment.rb:75:in `assign_attributes'
activerecord (3.2.11) lib/active_record/base.rb:497:in `initialize'
cancan (1.6.8) lib/cancan/controller_resource.rb:85:in `new'
cancan (1.6.8) lib/cancan/controller_resource.rb:85:in `build_resource'
cancan (1.6.8) lib/cancan/controller_resource.rb:66:in `load_resource_instance'
cancan (1.6.8) lib/cancan/controller_resource.rb:32:in `load_resource'
cancan (1.6.8) lib/cancan/controller_resource.rb:25:in `load_and_authorize_resource'
cancan (1.6.8) lib/cancan/controller_resource.rb:10:in `block in add_before_filter'
activesupport (3.2.11) lib/active_support/callbacks.rb:440:in `_run__3264816457187544022__process_action__2854128236876807797__callbacks'
activesupport (3.2.11) lib/active_support/callbacks.rb:405:in `__run_callback'
activesupport (3.2.11) lib/active_support/callbacks.rb:385:in `_run_process_action_callbacks'
activesupport (3.2.11) lib/active_support/callbacks.rb:81:in `run_callbacks'
actionpack (3.2.11) lib/abstract_controller/callbacks.rb:17:in `process_action'
actionpack (3.2.11) lib/action_controller/metal/rescue.rb:29:in `process_action'
actionpack (3.2.11) lib/action_controller/metal/instrumentation.rb:30:in `block in process_action'
activesupport (3.2.11) lib/active_support/notifications.rb:123:in `block in instrument'
activesupport (3.2.11) lib/active_support/notifications/instrumenter.rb:20:in `instrument'
activesupport (3.2.11) lib/active_support/notifications.rb:123:in `instrument'
actionpack (3.2.11) lib/action_controller/metal/instrumentation.rb:29:in `process_action'
actionpack (3.2.11) lib/action_controller/metal/params_wrapper.rb:207:in `process_action'
activerecord (3.2.11) lib/active_record/railties/controller_runtime.rb:18:in `process_action'
actionpack (3.2.11) lib/abstract_controller/base.rb:121:in `process'
actionpack (3.2.11) lib/abstract_controller/rendering.rb:45:in `process'
actionpack (3.2.11) lib/action_controller/metal.rb:203:in `dispatch'
actionpack (3.2.11) lib/action_controller/metal/rack_delegation.rb:14:in `dispatch'
actionpack (3.2.11) lib/action_controller/metal.rb:246:in `block in action'
actionpack (3.2.11) lib/action_dispatch/routing/route_set.rb:73:in `call'
actionpack (3.2.11) lib/action_dispatch/routing/route_set.rb:73:in `dispatch'
actionpack (3.2.11) lib/action_dispatch/routing/route_set.rb:36:in `call'
journey (1.0.4) lib/journey/router.rb:68:in `block in call'
journey (1.0.4) lib/journey/router.rb:56:in `each'
journey (1.0.4) lib/journey/router.rb:56:in `call'
actionpack (3.2.11) lib/action_dispatch/routing/route_set.rb:601:in `call'
warden (1.2.1) lib/warden/manager.rb:35:in `block in call'
warden (1.2.1) lib/warden/manager.rb:34:in `catch'
warden (1.2.1) lib/warden/manager.rb:34:in `call'
client_side_validations (3.2.5) lib/client_side_validations/middleware.rb:21:in `call'
actionpack (3.2.11) lib/action_dispatch/middleware/best_standards_support.rb:17:in `call'
rack (1.4.3) lib/rack/etag.rb:23:in `call'
rack (1.4.3) lib/rack/conditionalget.rb:35:in `call'
actionpack (3.2.11) lib/action_dispatch/middleware/head.rb:14:in `call'
actionpack (3.2.11) lib/action_dispatch/middleware/params_parser.rb:21:in `call'
actionpack (3.2.11) lib/action_dispatch/middleware/flash.rb:242:in `call'
rack (1.4.3) lib/rack/session/abstract/id.rb:210:in `context'
rack (1.4.3) lib/rack/session/abstract/id.rb:205:in `call'
actionpack (3.2.11) lib/action_dispatch/middleware/cookies.rb:341:in `call'
activerecord (3.2.11) lib/active_record/query_cache.rb:64:in `call'
activerecord (3.2.11) lib/active_record/connection_adapters/abstract/connection_pool.rb:479:in `call'
actionpack (3.2.11) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
activesupport (3.2.11) lib/active_support/callbacks.rb:405:in `_run__1232201288606729007__call__1474813276301895872__callbacks'
activesupport (3.2.11) lib/active_support/callbacks.rb:405:in `__run_callback'
activesupport (3.2.11) lib/active_support/callbacks.rb:385:in `_run_call_callbacks'
activesupport (3.2.11) lib/active_support/callbacks.rb:81:in `run_callbacks'
actionpack (3.2.11) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
actionpack (3.2.11) lib/action_dispatch/middleware/reloader.rb:65:in `call'
actionpack (3.2.11) lib/action_dispatch/middleware/remote_ip.rb:31:in `call'
actionpack (3.2.11) lib/action_dispatch/middleware/debug_exceptions.rb:16:in `call'
actionpack (3.2.11) lib/action_dispatch/middleware/show_exceptions.rb:56:in `call'
railties (3.2.11) lib/rails/rack/logger.rb:32:in `call_app'
railties (3.2.11) lib/rails/rack/logger.rb:18:in `call'
actionpack (3.2.11) lib/action_dispatch/middleware/request_id.rb:22:in `call'
rack (1.4.3) lib/rack/methodoverride.rb:21:in `call'
rack (1.4.3) lib/rack/runtime.rb:17:in `call'
activesupport (3.2.11) lib/active_support/cache/strategy/local_cache.rb:72:in `call'
rack (1.4.3) lib/rack/lock.rb:15:in `call'
actionpack (3.2.11) lib/action_dispatch/middleware/static.rb:62:in `call'
railties (3.2.11) lib/rails/engine.rb:479:in `call'
railties (3.2.11) lib/rails/application.rb:223:in `call'
rack (1.4.3) lib/rack/content_length.rb:14:in `call'
railties (3.2.11) lib/rails/rack/log_tailer.rb:17:in `call'
rack (1.4.3) lib/rack/handler/webrick.rb:59:in `service'
/Users/therealtedkennedy/.rvm/rubies/ruby-1.9.2-p320/lib/ruby/1.9.1/webrick/httpserver.rb:111:in `service'
/Users/therealtedkennedy/.rvm/rubies/ruby-1.9.2-p320/lib/ruby/1.9.1/webrick/httpserver.rb:70:in `run'
/Users/therealtedkennedy/.rvm/rubies/ruby-1.9.2-p320/lib/ruby/1.9.1/webrick/server.rb:183:in `block in start_thread'
根据堆栈跟踪,看起来触发错误的赋值来自cancan,而不是来自设置艺术家的名字。尝试暂时禁用使用cancan的before_filter,看看是否能解决问题。如果是这样,那么您需要重新启用它,深入研究cancan并弄清楚如何使它与strong_parameters很好地配合。我自己不使用它,但我认为Rails 4有一个名为cancancan的分支,它也可能与Rails 3.2和strong_parameters一起工作。
与您当前的问题无关,但您可能还应该考虑升级到Rails 3.2的最新版本。以获取他们发布的不同安全修复程序。
您不需要允许:commit
参数,因为您没有试图将它们大量分配给任何东西。只使用:
params.require(:artist).permit!
或者更好:
params.require(:artist).permit(:name)
也就是说,我很惊讶你会得到你说的错误,所以修复它并报告。
跳过cancan授权违背了使用cancan的目的。
我是这样做的:
切换到CanCanCan
根据CanCanCan文档:
这个repo是CanCan项目的延续。我们的使命是通过维护修复和新功能保持CanCan的活力和向前发展。
CanCanCan还支持开箱即用的强参数。
为create_params
或update_params
创建私有方法
根据文档,在控制器中创建私有方法来处理属性权限:
private
def create_params
params.require(:speaking_lesson).permit(:name, :description, exercises_attributes: [:text])
end
然后您可以访问新模型的实例,在您的create
方法中使用:
def create
# @speaking_lesson is automatically created by CanCanCan during load_and_authorize_resource
@speaking_lesson.user_id = current_user.id
... do other stuff ...
end