Rails 4强相对的参数允许所有属性 [英] Rails 4 Strong Parameters opposite permit all attributes

问题描述

我正在使用具有强参数的rails 4，并试图找出如何设置强参数，不允许任何属性与参数。

我读了这个<一个href =http://stackoverflow.com/questions/14033908/rails-4-strong-parameters-permit-all-attributes> Rails 4强参数：允许所有属性？而且想做相反的。

  params.require（：user）.permit！ 
  

将允许所有属性，我该怎么做相反？

更新这是我的全部代码：

在 app / controllers / application_controller.rb

  class ApplicationController< ActionController :: Base 
＃通过引发异常来防止CSRF攻击。 
＃对于API，您可能需要使用：null_session。 
 protect_from_forgery with：：exception 
 before_filter：configure_permitted_pa​​rameters，如果：：devise_controller？ 
 
 protected 
 
 def configure_permitted_pa​​rameters 
 devise_parameter_sanitizer.for（：sign_up）{| u | u.permit（：username，：email，：password，：password_confirmation，：remember_me）} 
 devise_parameter_sanitizer.for（：sign_in）{| u | u.permit（：signin，：password，，remember_me）} 
 devise_parameter_sanitizer.for（：account_update）{| u | u.permit（：username，：email，：password，：password_confirmation，：current_password）} 
 devise_parameter_sanitizer.for（：sign_in）{| a | a.permit（：signin，：password，：remember_me）} 
 devise_parameter_sanitizer.for（：account_update）{| a | a.permit（：username，：email，：password，：password_confirmation，：current_password）} 
 end 
 end 
  

在 app / models / admin.rb

  class Admin < ActiveRecord :: Base 
＃包含默认设计模块。其他可用的是：
＃：confirmable，：lockable，：timeoutable and：omniauthable，，registerable 
 devise：database_authenticatable，：registerable，，recoverable，，rememberable，，trackable，，validatable 
 
 attr_accessor：signin 
 
 def self.find_first_by_auth_conditions（warden_conditions）
条件= warden_conditions.dup 
如果login = conditions.delete（：signin）
其中（条件）.where（[username =：value OR lower（email）= lower（：value），{：value => login}]）首先
 else 
其中（条件）。第一个
 end 
 end 
 
 validates：username，presence：true，length：{maximum：255}，唯一性：{case_sensitive：false}，格式：{with： \\ A [a-zA-Z0-9] * \z /，消息：只能包含字母和数字。 } 
 end 
  

users.rb模型与admin.rb模型相同。这导致两个不同的注册/登录链接 - 每个模型1。此外，我需要离开：可注册模块，以便我可以覆盖默认设计的可注册模块。但是，我在浏览器中键入时修改了视图以不显示管理页面。 ---我只需要通过命令行阻止它。

我也发布了类似于以前的问题：

Rails 4设计强大的参数管理模型

解决方案

默认行为与.permit相反。如果你没有在params参数中提到一个属性，就像拒绝用户访问这些属性一样。

I am using rails 4 with strong parameters and trying to figure out how to set the strong parameters to not allow any attribute with the parameter.

I read this Rails 4 Strong parameters : permit all attributes? And would like to do the opposite of that.

params.require(:user).permit!

would permit all attributes, how could I do the opposite?

UPDATE THIS IS MY FULL CODE:

in app/controllers/application_controller.rb

class ApplicationController < ActionController::Base
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  protect_from_forgery with: :exception
  before_filter :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
      devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:username, :email, :password, :password_confirmation, :remember_me) }
      devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:signin, :password, :remember_me) }
      devise_parameter_sanitizer.for(:account_update) {|u| u.permit(:username, :email, :password, :password_confirmation, :current_password)}
      devise_parameter_sanitizer.for(:sign_in) { |a| a.permit(:signin, :password, :remember_me) }
      devise_parameter_sanitizer.for(:account_update) {|a| a.permit(:username, :email, :password, :password_confirmation, :current_password)}
  end
end

in app/models/admin.rb

    class Admin < ActiveRecord::Base
  # Include default devise modules. Others available are:
  # :confirmable, :lockable, :timeoutable and :omniauthable, :registerable
  devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable

  attr_accessor :signin

  def self.find_first_by_auth_conditions(warden_conditions)
      conditions = warden_conditions.dup
      if login = conditions.delete(:signin)
        where(conditions).where(["username = :value OR lower(email) = lower(:value)", { :value => login }]).first
      else
        where(conditions).first
      end
    end

  validates :username, presence: true, length: {maximum: 255}, uniqueness: { case_sensitive: false }, format: { with: /\A[a-zA-Z0-9]*\z/, message: "may only contain letters and numbers." }
end

The users.rb model is the same as the admin.rb model. This leads to two different sign up/sign in links- 1 for each model. Also I need to leave the :registerable module so that I can override the default devise's registerable module. However I modified the views to not show the admin page when typed in a browser. --- I only need to block it via command line now.

I also have posted a previous question similar to this:

Rails 4 Devise Strong Parameters Admin Model

解决方案

The default behavior is the opposite of .permit. If you don't mention an attribute in your params arguments, it is like denying the user access to do anything with those attributes.

这篇关于Rails 4强相对的参数允许所有属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！