Rails 无法将不允许的参数转换为哈希
[英] Rails Unable to convert unpermitted parameters to hash
本文介绍了Rails 无法将不允许的参数转换为哈希的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试为我的 web 应用程序实现一个简单的搜索和排序.我正在关注 railscast 和这个 railscast.
我用作链接的可排序功能的应用程序助手是:
def sortable(column, title = nil)标题 ||= column.titleizecss_class = column == sort_column ?当前#{sort_direction}":nil方向 = 列 == sort_column &&sort_direction == "asc" ?"desc" : "asc"link_to 标题, params.merge(:sort => column, :direction => direction, :page => nil), {:class =>css_class}结尾
我在视图中使用这些.在控制器中,我使用白名单作为:
@listingssearch.where(:vehicletype => 'Car').order(sort_column + " " + sort_direction).paginate(:page => params[:page], :per_page => 30)
私人消毒方法:
私有定义排序列Listing.column_names.include?(params) ?params[:sort] : "rateperhour"结尾定义排序方向%w[asc desc].include?(params[:direction]) ?参数[:direction] : "asc"结尾
我尝试在私有方法中使用合并:
(Listing.column_names + params) 但它不工作
对于辅助方法当我尝试向排序链接提供搜索参数时出现错误:无法将不允许的参数转换为哈希
它显示错误是为了合并
link_to title, params.merge(:sort => column, :direction => direction, :page => nil), {:class =>css_class}
反之亦然:
<%= bootstrap_form_for listings_path, :method =>'得到'做 %><%= hidden_field_tag :direction, :value =>参数[:方向] %><%= hidden_field_tag :sort,:value =>参数[:排序] %><div class="col-sm-12 col-lg-12 col-md-12" style="margin: auto;"><h6 style = "color:#7C064D;"><strong>选择日期 <span class="glyphicon glyphicon-calendar"></span></strong><%= date_field_tag :startdate, params[:startdate], placeholder: 'DATE' %>
<div class="col-sm-12 col-lg-12 col-md-12" style="margin: auto;"><p><%= text_field_tag :near, params[:near], placeholder: 'Destination' %><%= text_field_tag :radius, params[:radius], placeholder: 'Search Radius' %></p>
<div class="col-sm-12 col-lg-12 col-md-12" style="margin: auto;"><p><%= text_field_tag :min, params[:min], 占位符:'每小时最低费率'%><%= text_field_tag :max, params[:max], placeholder: '最大每小时速率'%></p>
<div class="col-sm-12 col-lg-12 col-md-12" style="margin-top: 10px;"><%= submit_tag "Search", class: "btn btn-info", style: "width: 40%; background-color: #E20049; border: #e20049;"%><%= link_to 'View All', root_path, class: "btn btn-info", style: "width: 40%; background-color: #E20049; border: #e20049;"%>
<!-- <div class="col-sm-6 col-lg-6 col-md-6" style="margin-top: 10px;">
--><%结束%>
我的问题是如何在 rails 5 的排序帮助器方法中保留搜索参数?我做错了什么?
解决方案
在 Rails 5 中,ActionController::Parameters 不再继承自 Hash,试图阻止人们在请求参数上使用 Hash 相关的方法而不显式过滤它们.
作为此拉取请求的一部分,该请求已向后移植到 Rails 5.1 并部分移植到Rails 5.0,如果您尝试在参数对象上调用 to_h 而不调用 permit,则会引发异常.
在原始 params 对象上调用 merge(params.merge(:sort => column, :direction => direction, :page =>; nil)) 返回一个新的 ActionController::Parameters 对象,具有相同的 permitted 状态(即 permit调用它).link_to 方法最终会对该对象调用 to_h,从而引发异常.
如果您知道链接中应该允许哪些参数,您可以使用列出的参数调用 permit.
params.permit(:param_1, :param_2).merge(:sort => column, :direction => direction, :page => nil)# 或者params.merge(:sort => column, :direction => direction, :page => nil).permit(:param_1, :param_2, :sort, :direction, :page)
如果您不知道链接中可以包含哪些参数,则可以调用 request.parameters.merge(...)(如 这个答案) 或 params.to_unsafe_h.merge(...).然而,正如评论中所指出的,当结果传递给 link_to 时,这是一个安全风险,因为像 host 这样的参数将被解释为链接的实际主机而不是查询参数.在 link_to 中还有其他几个键也有特殊含义(url_for 接受的所有内容,加上 :method),所以这通常是一种冒险的方法.
I am trying to implement a simple search and sort for my webapp. I am following the railscast and this railscast.
My application helper for sortable function which I am using as link is:
def sortable(column, title = nil)
title ||= column.titleize
css_class = column == sort_column ? "current #{sort_direction}" : nil
direction = column == sort_column && sort_direction == "asc" ? "desc" : "asc"
link_to title, params.merge(:sort => column, :direction => direction, :page => nil), {:class => css_class}
end
I am using these in the view. In the controller I am using white listing as:
@listingssearch.where(:vehicletype => 'Car').order(sort_column + " " + sort_direction).paginate(:page => params[:page], :per_page => 30)
Private Methods for sanitization:
private
def sort_column
Listing.column_names.include?(params) ? params[:sort] : "rateperhour"
end
def sort_direction
%w[asc desc].include?(params[:direction]) ? params[:direction] : "asc"
end
I tried using merge in the private method:
(Listing.column_names + params) but its not working
For the helper methods I am getting an error when I am trying to provide search params to the sorting link: unable to convert unpermitted parameters to hash
It shows the error is for merge
link_to title, params.merge(:sort => column, :direction => direction, :page => nil), {:class => css_class}
The otherway around works fine:
<%= bootstrap_form_for listings_path, :method => 'get' do %>
<%= hidden_field_tag :direction, :value => params[:direction] %>
<%= hidden_field_tag :sort,:value => params[:sort] %>
<div class= "col-sm-12 col-lg-12 col-md-12" style = "margin: auto;">
<h6 style = "color:#7C064D;"><strong> PICK A DATE <span class="glyphicon glyphicon-calendar"></span></strong>
<%= date_field_tag :startdate, params[:startdate], placeholder: 'DATE' %>
</h6>
</div>
<div class= "col-sm-12 col-lg-12 col-md-12" style = "margin: auto;">
<p>
<%= text_field_tag :near, params[:near], placeholder: ' Destination' %>
<%= text_field_tag :radius, params[:radius], placeholder: ' Search Radius' %>
</p>
</div>
<div class= "col-sm-12 col-lg-12 col-md-12" style = "margin: auto;">
<p>
<%= text_field_tag :min, params[:min], placeholder: ' Minimum Rate Per Hour' %>
<%= text_field_tag :max, params[:max], placeholder: ' Maximum Rate Per Hour' %>
</p>
</div>
<div class= "col-sm-12 col-lg-12 col-md-12" style = "margin-top: 10px;">
<%= submit_tag "Search", class: "btn btn-info", style: "width: 40%; background-color: #E20049; border: #e20049;" %>
<%= link_to 'View All', root_path, class: "btn btn-info", style: "width: 40%; background-color: #E20049; border: #e20049;" %>
</div>
<!-- <div class= "col-sm-6 col-lg-6 col-md-6" style = "margin-top: 10px;">
</div> -->
<% end %>
My question is How to persist search params in sort helper methods in rails 5? What I am doing wrong?
解决方案
In Rails 5, ActionController::Parameters no longer inherits from Hash, in an attempt to discourage people from using Hash-related methods on the request parameters without explicitly filtering them.
As part of this pull request, which was backported into Rails 5.1 and partially into Rails 5.0, an exception is raised if you try to call to_h on the parameters object without calling permit.
Calling merge on the original params object (params.merge(:sort => column, :direction => direction, :page => nil)) returns a new ActionController::Parameters object with the same permitted status (that is, permit has not been called on it). The link_to method then ends up calling to_h on that object, which raises the exception.
If you know which parameters should be allowed in the link, you can call permit with those listed.
params.permit(:param_1, :param_2).merge(:sort => column, :direction => direction, :page => nil)
# OR
params.merge(:sort => column, :direction => direction, :page => nil).permit(:param_1, :param_2, :sort, :direction, :page)
If you don't know which parameters could be included in the link, then it's possible to call request.parameters.merge(...) (as mentioned in this answer) or params.to_unsafe_h.merge(...). However, as pointed out in comments, this is a security risk when the result is passed to link_to, as a parameter like host would be interpreted as the actual host for the link instead of a query parameter. There are several other keys that also have special meaning in link_to (everything accepted by url_for, plus :method), so it's generally a risky approach.
这篇关于Rails 无法将不允许的参数转换为哈希的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
