Rails 4 / Devise / MongoDB:“未准许的参数”使用自定义属性和强参数 [英] Rails 4/Devise/MongoDB: "Unpermitted parameters" using custom properties and strong parameters
问题描述
尝试将嵌套的自定义属性配置文件(Mongoid文档)添加到我的设计用户类中。当Devise注册表单提交时,它应该同时创建用户和相应的配置文件对象。
我希望最终结果在MongoDB中看起来像这样:
用户:
{
#设计字段:
email:my@email.com,
...
#自定义字段
profile:< object_id>
}
个人资料:
{
first_name:Dave,
....
}
不幸的是,当我提交注册时,我在我的控制台收到这个。它成功创建一个用户,但无法创建关联的个人资料。
在2013-04-04启动POST/为127.0.0.1 -20 23:37:10 -0400
用户处理::注册控制器#创建为HTML
参数:
{utf8=>✓,
authenticity_token =>awN2GU8EYEfisU0,
user=>
{profile_attributes=>
{first_name=>Dave,
birthday(2i)=>4,
birthday(3i)=>21 b $ bbirthday(1i)=>1933,
occup_title=>Software Developer},
password=>[FILTERED],
password_confirmation=>[FILTERED],
email=>my@email.com}}
未经许可的参数:profile_attributes
我有设置:
- Rails 4.0.0beta1,Ruby 2.0.0-p0
- Devise('rails4'branch),Mongoid(from git)
- 自定义Devise注册控制器添加强参数定义。
models / user.rb: strong>
class User
include Mongoid :: Document
devise:database_authenticatable,可注册,
:可恢复,可记忆,可跟踪,可验证,
:token_authenticatable,:con可固定,可锁定,可暂停
字段:电子邮件,类型:字符串,默认值:''
...
has_one:profile
accepted_nested_attributes_for:profile
end
models / profile.rb: / strong>
class Profile
include Mongoid :: Document
include Mongoid :: Timestamps
#属性
#----------
字段:slug,type:String,默认值:''#用作user-'friendlier'slug
字段:生日,类型:DateTime,默认值:DateTime.now
字段:first_name,type:String,默认值:''
字段:职业标题,类型:字符串,默认值:''
belongs_to:user
embeds_many:photos
has_one:occup_industry,:as => :行业
end
controllers / users / registrations_controller.rb
class Users :: RegistrationsController< Devise :: RegistrationsController
def resource_params
params.require(:user).permit(:email,:password,:password_confirmation,:profile_attributes)
end
private :resource_params
end
routes.rb
devise_for:users,
:path => '',
:path_names => {
:sign_in => 'login',
:sign_out => 'logout',
:sign_up => 'register'
},
:controllers => {
:registrations => 用户/注册,
:passwords => 用户/密码
}
我已经看过这些相关的帖子,他们没有似乎有帮助:
编辑:
看起来,Devise确实支持其rails4分支中的强参数(应该在几个部分中合并为主天。)查看代码,似乎您可以覆盖设计控制器上的每个操作的params函数。要创建新用户,请在我的示例中使用 sign_up_params
而不是 resource_params
。
尽管将此名称更改为正确的名称,但它仍然无法正常工作,只有使用此命令将所有参数列入白名单似乎有效:
def sign_up_params
params.require(:user).permit!
end
显然,这种打败强参数的目的...所以现在问题是如何允许我的嵌套属性 profile_attributes
(如我的原始问题所示)?
我有完全相同的问题,并覆盖 sign_up_params 为我工作
def sign_up_params
/ pre>
params.require(:user).permit(:email,:password,:password_confirmation,... other,...等)
end
当然,区别在于我的只是标量值,而你正在尝试大量分配关系...我猜这是你应该在哪里寻找。
顺便说一句,文档在本主题中仍然是不起眼的(太新),代码行建议覆盖devise_parameter_sanitizer ,这是吨必要的。
Trying to add a nested custom attribute, Profile (a Mongoid document), to my devise User class. When the Devise registration form is submitted, it should create both a User and a corresponding Profile object as well.
I'd like the end-result to look something like this in my MongoDB:
User:
{ # Devise fields: "email": "my@email.com", ... # Custom field "profile" : "<object_id>" }
Profile:
{ "first_name": "Dave", .... }
Unfortunately, I am receiving this in my console whenever I submit my registration. It successfully creates a User but fails to create an associated Profile.
Started POST "/" for 127.0.0.1 at 2013-04-20 23:37:10 -0400 Processing by Users::RegistrationsController#create as HTML Parameters: {"utf8"=>"✓", "authenticity_token"=>"awN2GU8EYEfisU0", "user"=> {"profile_attributes"=> {"first_name"=>"Dave", "birthday(2i)"=>"4", "birthday(3i)"=>"21", "birthday(1i)"=>"1933", "occupation_title"=>"Software Developer"}, "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "email"=>"my@email.com"}} Unpermitted parameters: profile_attributes
I have setup:
- Rails 4.0.0beta1, Ruby 2.0.0-p0
- Devise ('rails4' branch), Mongoid (from git)
- A custom Devise registrations controller to add a definition for strong parameters.
models/user.rb:
class User
include Mongoid::Document
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable,
:token_authenticatable, :confirmable, :lockable, :timeoutable
field :email, type: String, default: ''
...
has_one :profile
accepts_nested_attributes_for :profile
end
models/profile.rb:
class Profile
include Mongoid::Document
include Mongoid::Timestamps
# Attributes
# ----------
field :slug, type: String, default: '' # Acts as user-'friendlier' slug
field :birthday, type: DateTime, default: DateTime.now
field :first_name, type: String, default: ''
field :occupation_title, type: String, default: ''
belongs_to :user
embeds_many :photos
has_one :occupation_industry, :as => :industry
end
controllers/users/registrations_controller.rb
class Users::RegistrationsController < Devise::RegistrationsController
def resource_params
params.require(:user).permit(:email, :password, :password_confirmation, :profile_attributes)
end
private :resource_params
end
routes.rb
devise_for :users,
:path => '',
:path_names => {
:sign_in => 'login',
:sign_out => 'logout',
:sign_up => 'register'
},
:controllers => {
:registrations => "users/registrations",
:passwords => "users/passwords"
}
I have already looked at these related posts, they didn't seem to help:
EDIT:
Looks like Devise does actually support strong parameters in its 'rails4' branch (which is supposed to be merged into master in a few days.) Looking through the code, it appears you can override a params function for each action on devise controllers. For creating new users, its sign_up_params
instead of resource_params
in my example.
Despite changing this name to the proper one, it still didn't work... only whitelisting all parameters using this bang seemed to work:
def sign_up_params
params.require(:user).permit!
end
Obviously, this kind of defeats the purpose of strong parameters... so now the question is how do I permit my nested attributes profile_attributes
(as seen in my original question)?
I had the exact same issue and overriding sign_up_params did work for me
def sign_up_params
params.require(:user).permit(:email, :password, :password_confirmation, :other, :etc)
end
of course, the difference is in that mine are just scalar values, while you're trying to mass assign a relation... I guess that's where you should look for.
By the way, the documentations is still inexistint in this topic (too new), and code commnents suggest to override devise_parameter_sanitizer, which isn't necessary.
这篇关于Rails 4 / Devise / MongoDB:“未准许的参数”使用自定义属性和强参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!