当前位置:theitroad>Ruby-on-rails Rails 无法将不允许的参数转换为哈希

Ruby-on-rails Rails 无法将不允许的参数转换为哈希

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/46029084/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-09-03 09:00:44  来源:igfitidea点击:

Rails Unable to convert unpermitted parameters to hash

ruby-on-railsrubysortingparameterssearch-form

提问by Saurav Prakash

I am trying to implement a simple search and sort for my webapp. I am following the railscastand this railscast.

我正在尝试为我的 webapp 实现一个简单的搜索和排序。我正在关注railscast和这个railscast

My application helper for sortable function which I am using as link is:

我用作链接的可排序功能的应用程序助手是:

def sortable(column, title = nil)
      title ||= column.titleize
      css_class = column == sort_column ? "current #{sort_direction}" : nil
      direction = column == sort_column && sort_direction == "asc" ? "desc" : "asc"
      link_to title, params.merge(:sort => column, :direction => direction, :page => nil), {:class => css_class}
    end

I am using these in the view. In the controller I am using white listing as:

我在视图中使用这些。在控制器中,我使用白名单作为:

 @listingssearch.where(:vehicletype => 'Car').order(sort_column + " " + sort_direction).paginate(:page => params[:page], :per_page => 30)

Private Methods for sanitization:

用于消毒的私有方法:

 private
     def sort_column
          Listing.column_names.include?(params) ? params[:sort] : "rateperhour"
        end

        def sort_direction
          %w[asc desc].include?(params[:direction]) ? params[:direction] : "asc"
        end

I tried using merge in the private method:

我尝试在私有方法中使用合并:

(Listing.column_names + params) but its not working

For the helper methods I am getting an error when I am trying to provide search paramsto the sorting link: unable to convert unpermitted parameters to hash

对于辅助方法,当我尝试向排序链接提供搜索参数时出现错误:无法将不允许的参数转换为哈希

It shows the error is for merge

它显示错误是为了合并

link_to title, params.merge(:sort => column, :direction => direction, :page => nil), {:class => css_class}

The otherway around works fine:

反过来工作正常:

<%= bootstrap_form_for listings_path, :method => 'get' do %>

        <%= hidden_field_tag :direction, :value => params[:direction] %>
        <%= hidden_field_tag :sort,:value => params[:sort] %>



        <div class= "col-sm-12 col-lg-12 col-md-12" style = "margin: auto;">
            <h6 style = "color:#7C064D;"><strong> PICK A DATE  <span class="glyphicon glyphicon-calendar"></span></strong>
            <%= date_field_tag :startdate, params[:startdate], placeholder: 'DATE' %>           
            </h6>
        </div>  

        <div class= "col-sm-12 col-lg-12 col-md-12" style = "margin: auto;">    
        <p>     
            <%= text_field_tag :near, params[:near], placeholder: ' Destination' %>
            <%= text_field_tag :radius, params[:radius], placeholder: ' Search Radius' %>
        </p>
        </div>      
        <div class= "col-sm-12 col-lg-12 col-md-12" style = "margin: auto;">    
        <p>     
            <%= text_field_tag :min, params[:min], placeholder: ' Minimum Rate Per Hour' %>
            <%= text_field_tag :max, params[:max], placeholder: ' Maximum Rate Per Hour' %>
        </p>
        </div>

        <div class= "col-sm-12 col-lg-12 col-md-12" style = "margin-top: 10px;">        
            <%= submit_tag "Search", class: "btn btn-info", style: "width: 40%; background-color: #E20049; border: #e20049;" %>
            <%= link_to 'View All', root_path, class: "btn btn-info", style: "width: 40%; background-color: #E20049; border: #e20049;" %>
        </div>

        <!-- <div class= "col-sm-6 col-lg-6 col-md-6" style = "margin-top: 10px;">      

        </div> -->


    <% end %>

My question is How to persist search params in sort helper methods in rails 5? What I am doing wrong?

我的问题是如何在 rails 5 中的排序辅助方法中保留搜索参数?我做错了什么?

回答by Max

In Rails 5, ActionController::Parametersno longer inherits from Hash, in an attempt to discourage people from using Hash-related methods on the request parameters without explicitly filtering them.

在 Rails 5 中,ActionController::Parameters不再继承 from Hash,试图阻止人们Hash在没有明确过滤的情况下对请求参数使用-related 方法。

As part of this pull request, which was backported into Rails 5.1 and partially into Rails 5.0, an exception is raised if you try to call to_hon the parameters object without calling permit.

作为此拉取请求的一部分,该请求已向后移植到 Rails 5.1 并部分移植到 Rails 5.0,如果您尝试调用to_h参数对象而不调用permit.

Calling mergeon the original paramsobject (params.merge(:sort => column, :direction => direction, :page => nil)) returns a new ActionController::Parametersobject with the same permittedstatus (that is, permithas not been called on it). The link_tomethod then ends up calling to_hon that object, which raises the exception.

调用merge原始params对象 ( params.merge(:sort => column, :direction => direction, :page => nil)) 会返回一个ActionController::Parameters具有相同permitted状态的新对象(即permit尚未对其进行调用)。link_to然后该方法最终调用to_h该对象,从而引发异常。

If you know which parameters should be allowed in the link, you can call permitwith those listed.

如果您知道链接中应该允许哪些参数,您可以permit使用列出的参数进行调用。

params.permit(:param_1, :param_2).merge(:sort => column, :direction => direction, :page => nil)
# OR
params.merge(:sort => column, :direction => direction, :page => nil).permit(:param_1, :param_2, :sort, :direction, :page)

If you don't know which parameters could be included in the link, then it's possible to call request.parameters.merge(...)(as mentioned in this answer) or params.to_unsafe_h.merge(...). However, as pointed out in comments, this is a security risk when the result is passed to link_to, as a parameter like hostwould be interpreted as the actual host for the link instead of a query parameter. There are several other keys that also have special meaning in link_to(everything accepted by url_for, plus :method), so it's generally a risky approach.

如果您不知道链接中可以包含哪些参数,则可以调用request.parameters.merge(...)(如本答案中所述)或params.to_unsafe_h.merge(...). 但是,正如评论中指出的那样,当结果传递给 时,这是一个安全风险link_to,因为像host这样的参数将被解释为链接的实际主机而不是查询参数。还有其他几个键也具有特殊含义link_tourl_for, plus接受的所有内容:method),因此这通常是一种冒险的方法。

回答by Ghazi

You can use this hack:

你可以使用这个黑客:

params.to_enum.to_h

I think rails developers will restrict it when they know it's the way to use unpermitted parameters. :)

我认为 Rails 开发人员知道这是使用未经允许的参数的方式时会限制它。:)

回答by widjajayd

you can try to use request.parameters.merge, below is sample for your code above

您可以尝试使用 request.parameters.merge,下面是上面代码的示例

<%= link_to title, listings_path(request.parameters.merge({:sort => "column", :direction => "direction", :page => nil})), :class => "form-control css_class" %>

回答by Mike Langston

I believe if you pass column to permit it should get you working again!

我相信如果您通过专栏许可它应该让您再次工作!

def sortable(column, title = nil)
    title ||= column.titleize
    css_class = column == sort_column ? "current #{sort_direction}" : nil
    direction = column == sort_column && sort_direction == "asc" ? "desc" : "asc"
    link_to title, params.permit(column).merge(sort: column, direction: direction, page: nil), { class: css_class }
end

回答by FutoRicky

You can also overwrite by doing params.permit!This may have security risks though, so be careful using this.

您也可以通过这样做来覆盖params.permit!这虽然可能存在安全风险,因此请小心使用它。

相关推荐

Ruby-on-rails 以简单形式向文本输入添加默认值

Ruby-on-rails 以简单形式向文本输入添加默认值

Ruby-on-rails “无法在任何来源中找到 *gem*”错误是否有修复,不涉及删除 Gemfile.lock?

Ruby-on-rails “无法在任何来源中找到 *gem*”错误是否有修复,不涉及删除 Gemfile.lock?

Ruby-on-rails 是否有 Rails 列类型的文档?

Ruby-on-rails 是否有 Rails 列类型的文档?

Ruby,检查日期是否是周末?

Ruby,检查日期是否是周末?

相关推荐
最近更新
标签