Ruby-on-rails 当遇到在早期版本的 Rails 中使用 attr_accessible 的情况时,Rails 4 中的禁止属性错误
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/17450185/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Forbidden Attributes Error in Rails 4 when encountering a situation where one would have used attr_accessible in earlier versions of Rails
提问by Ecnalyr
With the recent upgrade to Rails 4, updating attributes using code resembling the below does not work, I get a ActiveModel::ForbiddenAttributeserror:
随着最近升级到 Rails 4,使用类似于下面的代码更新属性不起作用,我收到一个ActiveModel::ForbiddenAttributes错误:
@user.update_attributes(params[:user], :as => :admin)
Where User has the following attr_accessible line in the model:
其中 User 在模型中有以下 attr_accessible 行:
attr_accessible :role_ids, :as =>admin
# or any attribute other than :role_ids contained within :user
How do you accomplish the same task in Rails 4?
你如何在 Rails 4 中完成同样的任务?
采纳答案by Ecnalyr
Rails 4 now has features from the strong_parametersgem built in by default.
Rails 4 现在具有默认内置的strong_parametersgem 的功能。
One no longer has to make calls :as => :admin, nor do you need the attr_accessible :user_attribute, :as => adminin your model. The reason for this is that, by default, rails apps now have 'security' for every attribute on models. You have to permitthe attribute you want to access / modify.
不再:as => :admin需要拨打电话,attr_accessible :user_attribute, :as => admin您的模型中也不需要。这样做的原因是,默认情况下,rails 应用程序现在对模型上的每个属性都有“安全性”。您必须permit访问/修改要访问的属性。
All you need to do now is call permitduring update_attributes:
您现在需要做的就是permit在 期间调用update_attributes:
@user.update_attributes(params[:user], permit[:user_attribute])
or, to be more precise:
或者,更准确地说:
@user.update_attributes(params[:user].permit(:role_ids))
This single line, however, allows any user to modify the permitted role. You have to remember to only allow access to this action by an administrator or any other desired role through another filter such as the following:
然而,这一行允许任何用户修改permitted 角色。您必须记住,仅允许管理员或任何其他所需角色通过另一个过滤器访问此操作,例如:
authorize! :update, @user, :message => 'Not authorized as an administrator.'
. . . which would work if you're using Devise and CanCan for authentication and authorization.
. . . 如果您使用 Devise 和 CanCan 进行身份验证和授权,这将起作用。
回答by superluminary
If you create a new Rails 4 site you'll notice that generated controllers now include a private method which you use to receive your sanitised params. This is a nice idiom, and looks something like this:
如果您创建一个新的 Rails 4 站点,您会注意到生成的控制器现在包含一个私有方法,您可以使用该方法接收已清理的参数。这是一个很好的习语,看起来像这样:
private
def user_params
params.require(:user).permit(:username, :email, :password)
end
The old way of allowing mass assignment was to use something like:
允许批量分配的旧方法是使用以下内容:
attr_accessible :username, :email, :password
on your model to mark certain parameters as accessible.
在您的模型上将某些参数标记为可访问。
Upgrading
升级
To upgrade you have several options. Your best solution would be to refactor your controllers with a params method. This might be more work than you have time for right now though.
要升级,您有多种选择。您最好的解决方案是使用 params 方法重构您的控制器。不过,这可能比你现在有时间做更多的工作。
Protected_attributes gem
Protected_attributes gem
The alternative would be to use the protected_attributes gem which reinstates the attr_accessible method. This makes for a slightly smoother upgrade path with one major caveat.
另一种方法是使用 protected_attributes gem 来恢复 attr_accessible 方法。这使得升级路径稍微顺畅,但有一个主要警告。
Major Caveat
主要警告
In Rails 3 any model without an attr_accessible call allowed all attributes though.
在 Rails 3 中,任何没有 attr_accessible 调用的模型都允许所有属性。
In Rails 4 with the protected_attributes gem this behaviour is reversed. Any model without an attr_accessible call has all attributes restricted. You must now declare attr_accessible on all your models. This means, if you haven't been using attr_accessible, you'll need to add this to all your models, which may be as much work as just creating a params method.
在带有protected_attributes gem 的Rails 4 中,这种行为是相反的。任何没有 attr_accessible 调用的模型的所有属性都受到限制。您现在必须在所有模型上声明 attr_accessible。这意味着,如果您尚未使用 attr_accessible,则需要将其添加到所有模型中,这可能与创建 params 方法一样多。
回答by Yavor Kirov
This problem might also be caused by the Cancan gem
这个问题也可能是由Cancan gem引起的
Just add to application_controller.rb
只需添加到 application_controller.rb
before_filter do
resource = controller_name.singularize.to_sym
method = "#{resource}_params"
params[resource] &&= send(method) if respond_to?(method, true)
end
Works without any further modifications of code got it from here: https://github.com/ryanb/cancan/issues/835#issuecomment-18663815
无需进一步修改代码即可从这里获得它:https: //github.com/ryanb/cancan/issues/835#issuecomment-18663815
回答by Haymaker87
Don't forget to add your new user_params method to the controller action:
不要忘记将新的 user_params 方法添加到控制器操作中:
def create
@user = User.new(user_params)
@user.save
redirect_to 'wherever'
end
回答by Maged Makled
def create
@user = User.create(user_params)
....
end
def update
@user = User.find(params[:id])
if @user.update_attributes(blog_params)
redirect_to home_path, notice: "Your profile has been successfully updated."
else
render action: "edit"
end
end
private
def user_params
params.require(:user).permit(:name, :age, :others)
end
