Rails 4中多态模型的ForbiddenAttributesError [英] ForbiddenAttributesError for polymorphic model in Rails 4
问题描述
Rails 4附带了strong_parameters,这是一个很好的补充-但是我遇到了问题.我有一个多态模型Comment
,我一生都无法让控制器接受它需要的参数.这是我的代码(为清晰起见,已缩短):
Rails 4 ships with strong_parameters, which is a great addition - but I've run into a problem with it. I have a polymorphic model Comment
and I cannot for the life of me get the controller to accept the parameters it needs. Here is my code (shortened for clarity):
路线:
resources :articles do
resources :comments
end
型号:
class Article < ActiveRecord::Base
has_many :comments, :as => :commentable
end
class Comment < ActiveRecord::Base
belongs_to :commentable, :polymorphic => true
end
控制器:
class CommentsController < ApplicationController
before_action :get_commentable
def create
@comment = @commentable.comments.new(comment_params)
if @comment.save
redirect_to @commentable, :notice => "Thank you!"
else
render :new
end
end
private
def get_commentable
resource, id = request.path.split("/")[1,2]
@commentable = resource.singularize.classify.constantize.find(id)
redirect_to :home unless defined?(@commentable)
end
def comment_params
params.require(:comment).permit(:title, :message)
end
end
发布的参数(摘自文章#show上的表格):
Posted params (from form on articles#show):
{"authenticity_token"=>"v70nN8aFpofNw9vbVjhpsm9SwLOwKlOpNOEOTozUwCk=",
"comment"=>{"title"=>"Test","message"=>"Testing"},
"article_id"=>"1"}
在我看来它应该可以工作,但是无论我尝试如何,都会得到ActiveModel::ForbiddenAttributesError in CommentsController#create
-即使我尝试
Looks to me like it should work, yet whatever I try I get ActiveModel::ForbiddenAttributesError in CommentsController#create
- even when I try
def comment_params
params.permit!
end
控制器中的
.我的其他(非多态)模型没有这些问题,这就是为什么我怀疑它与多态有关.有任何想法吗?
in the controller. I have no such problems with my other (non-polymorphic) models, which is why I suspect it has something to do with the polymorphism. Any ideas?
推荐答案
由于缺乏答案,似乎表明我在这里树错了树.问题不在于strong_parameters,而是在于我用于执行基于角色和操作的授权的CanCan gem.显然,这与CanCan如何为对象分配参数有关(CanCan接管了默认的ActionController方法)-请参见来自重写"的回复.简而言之,将其放入我的应用程序控制器即可解决问题:
As the lack of answers seemed to indicate I was barking up the wrong tree here. The issue lies not with strong_parameters but with the CanCan gem that I use for doing role and action based authorization. Apparently it's got to do with how CanCan assigns params to objects (CanCan takes over the default ActionController methods) - see the details in this bug report, specifically the reply from "rewritten". In short, putting this in my application controller solves the problem:
before_filter do
resource = controller_name.singularize.to_sym
method = "#{resource}_params"
params[resource] &&= send(method) if respond_to?(method, true)
end
更新:
如@scaryguy所指出的,如果从没有关联模型的控制器中调用上述方法,它将崩溃.解决方案是简单地命名该方法并将其称为before_filter,同时在没有模型的控制器中明确排除该方法(因此无论如何也无法从CanCan的自动能力分配中受益).我认为是这样的:
As pointed out by @scaryguy, if the method above is called from a controller that does not have an associated model it will fall over. The solution is simply to name the method and call it as a before_filter, while explicitly excluding it in those controllers which have no models (and hence would not benefit from CanCan's automatic ability assignment anyway). I reckon something like this:
before_filter :can_can_can
def can_can_can
resource = controller_name.singularize.to_sym
method = "#{resource}_params"
params[resource] &&= send(method) if respond_to?(method, true)
end
然后在无模型控制器中:
And then in the model-less controller:
skip_before_filter :can_can_can
这篇关于Rails 4中多态模型的ForbiddenAttributesError的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!