Rails无法将不允许的参数转换为哈希 [英] Rails Unable to convert unpermitted parameters to hash
问题描述
我正在尝试为我的webapp实现简单的搜索和排序.我正在关注 railscast 和此
I am trying to implement a simple search and sort for my webapp. I am following the railscast and this railscast.
我用作链接的可排序函数的应用程序助手是:
My application helper for sortable function which I am using as link is:
def sortable(column, title = nil)
title ||= column.titleize
css_class = column == sort_column ? "current #{sort_direction}" : nil
direction = column == sort_column && sort_direction == "asc" ? "desc" : "asc"
link_to title, params.merge(:sort => column, :direction => direction, :page => nil), {:class => css_class}
end
我在视图中使用这些.在控制器中,我将白名单用作:
I am using these in the view. In the controller I am using white listing as:
@listingssearch.where(:vehicletype => 'Car').order(sort_column + " " + sort_direction).paginate(:page => params[:page], :per_page => 30)
消毒的专用方法:
private
def sort_column
Listing.column_names.include?(params) ? params[:sort] : "rateperhour"
end
def sort_direction
%w[asc desc].include?(params[:direction]) ? params[:direction] : "asc"
end
我尝试在私有方法中使用合并:
I tried using merge in the private method:
(Listing.column_names + params) but its not working
对于辅助方法尝试向排序链接提供搜索参数时出现错误:无法将不允许的参数转换为哈希
For the helper methods I am getting an error when I am trying to provide search params to the sorting link: unable to convert unpermitted parameters to hash
它显示错误是由于合并
link_to title, params.merge(:sort => column, :direction => direction, :page => nil), {:class => css_class}
反之也可以:
<%= bootstrap_form_for listings_path, :method => 'get' do %>
<%= hidden_field_tag :direction, :value => params[:direction] %>
<%= hidden_field_tag :sort,:value => params[:sort] %>
<div class= "col-sm-12 col-lg-12 col-md-12" style = "margin: auto;">
<h6 style = "color:#7C064D;"><strong> PICK A DATE <span class="glyphicon glyphicon-calendar"></span></strong>
<%= date_field_tag :startdate, params[:startdate], placeholder: 'DATE' %>
</h6>
</div>
<div class= "col-sm-12 col-lg-12 col-md-12" style = "margin: auto;">
<p>
<%= text_field_tag :near, params[:near], placeholder: ' Destination' %>
<%= text_field_tag :radius, params[:radius], placeholder: ' Search Radius' %>
</p>
</div>
<div class= "col-sm-12 col-lg-12 col-md-12" style = "margin: auto;">
<p>
<%= text_field_tag :min, params[:min], placeholder: ' Minimum Rate Per Hour' %>
<%= text_field_tag :max, params[:max], placeholder: ' Maximum Rate Per Hour' %>
</p>
</div>
<div class= "col-sm-12 col-lg-12 col-md-12" style = "margin-top: 10px;">
<%= submit_tag "Search", class: "btn btn-info", style: "width: 40%; background-color: #E20049; border: #e20049;" %>
<%= link_to 'View All', root_path, class: "btn btn-info", style: "width: 40%; background-color: #E20049; border: #e20049;" %>
</div>
<!-- <div class= "col-sm-6 col-lg-6 col-md-6" style = "margin-top: 10px;">
</div> -->
<% end %>
我的问题是如何在Rails 5中的搜索助手方法中持久保存搜索参数?我在做什么错了?
推荐答案
在Rails 5中,ActionController::Parameters
不再继承自Hash
,以阻止人们对请求参数使用与Hash
相关的方法而不明确过滤它们.
In Rails 5, ActionController::Parameters
no longer inherits from Hash
, in an attempt to discourage people from using Hash
-related methods on the request parameters without explicitly filtering them.
作为此拉取请求的一部分,该请求被反向移植到Rails 5.1中,并部分移植到Rails 5.1中在Rails 5.0中,如果尝试在参数对象上调用to_h
而不调用permit
,则会引发异常.
As part of this pull request, which was backported into Rails 5.1 and partially into Rails 5.0, an exception is raised if you try to call to_h
on the parameters object without calling permit
.
在原始params
对象(params.merge(:sort => column, :direction => direction, :page => nil)
)上调用merge
会返回具有相同permitted
状态(即尚未在其上调用permit
)的新ActionController::Parameters
对象.然后,link_to
方法最终对该对象调用to_h
,从而引发异常.
Calling merge
on the original params
object (params.merge(:sort => column, :direction => direction, :page => nil)
) returns a new ActionController::Parameters
object with the same permitted
status (that is, permit
has not been called on it). The link_to
method then ends up calling to_h
on that object, which raises the exception.
如果知道链接中应允许使用哪些参数,则可以使用列出的参数调用permit
.
If you know which parameters should be allowed in the link, you can call permit
with those listed.
params.permit(:param_1, :param_2).merge(:sort => column, :direction => direction, :page => nil)
# OR
params.merge(:sort => column, :direction => direction, :page => nil).permit(:param_1, :param_2, :sort, :direction, :page)
如果您不知道链接中可以包含哪些参数,则可以调用request.parameters.merge(...)
(如此答案)或params.to_unsafe_h.merge(...)
.但是,正如注释中指出的那样,当将结果传递给link_to
时,这会带来安全风险,因为像host
这样的参数将被解释为链接的实际主机,而不是查询参数. link_to
中还有其他几个键也具有特殊含义(url_for
接受的所有键,再加上:method
),因此通常这是一种冒险的方法.
If you don't know which parameters could be included in the link, then it's possible to call request.parameters.merge(...)
(as mentioned in this answer) or params.to_unsafe_h.merge(...)
. However, as pointed out in comments, this is a security risk when the result is passed to link_to
, as a parameter like host
would be interpreted as the actual host for the link instead of a query parameter. There are several other keys that also have special meaning in link_to
(everything accepted by url_for
, plus :method
), so it's generally a risky approach.
这篇关于Rails无法将不允许的参数转换为哈希的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!