strong-parameters

This video states that it is possible to protect the input coming in via the controller yet still be able to do mass assignment via models and specs. However, I have not seen this documented as a feature when using strong_parameters in 3.2.8. I understand that I need to mix in ActiveModel::ForbiddenAttributesProtection into my models and set config.active_record.whitelist_attributes = false in config/application.rb . I have also pulled all of my attr_accessible calls from the model. With or without the mixin I am getting mass assignment errors. ActiveModel::MassAssignmentSecurity::Error: Can't

In Rails 3, it was possible to insert an attribute into params like so: params[:post][:user_id] = current_user.id I'm attempting to do something similar in Rails 4, but having no luck: post_params[:user_id] = current_user.id . . . . private def post_params params.require(:post).permit(:user_id) end Rails is ignoring this insertion. It doesn't throw any errors, it just quietly fails. nullnullnull Found the answer here . Rather than inserting the attribute from within the controller action, you can insert it into the params definition with a merge. To expand upon my previous example: private def

I'm having trouble with carrierwave and rails 4 strong parameters. I have a very simple model with a carrier wave upload button. I'd like to show an error message if someone submits the upload form without choosing a file to upload. Right now, I get a param not found:photo error with this message: # Never trust parameters from the scary internet, only allow the white list through. def photo_params params.require(:photo).permit(:image) end This error is happening because Rails 4's strong parameters is requiring that the image parameter be present to submit the form, but it's not there because

With the recent upgrade to Rails 4, updating attributes using code resembling the below does not work, I get a ActiveModel::ForbiddenAttributes error: @user.update_attributes(params[:user], :as => :admin) Where User has the following attr_accessible line in the model: attr_accessible :role_ids, :as =>admin # or any attribute other than :role_ids contained within :user How do you accomplish the same task in Rails 4? Rails 4 now has features from the strong_parameters gem built in by default. One no longer has to make calls :as => :admin , nor do you need the attr_accessible :user_attribute, :as

After upgrading Rails 4.1.4 to 4.1.5 i get errors with my facebook omniauth session everything was working fine since then. When i create a User Session i get an ActiveModel::ForbiddenAttributesError Route: match 'auth/:provider/callback', to: 'sessions#create', as: 'signin', via: :get Session#create controller: def create user = User.from_omniauth(env["omniauth.auth"]) session[:user_id] = user.id session[:user_name] = user.name redirect_to root_path end and a user model like this: def self.from_omniauth(auth) where(auth.slice(:provider, :uid)).first_or_create.tap do |user| user.provider ||=

I'm having trouble getting a has_many :through association working with Rails 4's strong parameters. I have a model called Checkout and I need to select a person from the Employee model in the new checkout form. Checkouts and Employees are associated through an Employment model. I'm getting this error when I try to create a new checkout: NoMethodError in CheckoutsController#create undefined method `employee' for #<Checkout:0x007ff4f8d07f88> It seems that there's something wrong with either my create action, my checkout parameters or my new checkout form. Here's the create action: def create

I have an array field in my model and I'm attempting to update it. My strong parameter method is below def post_params params["post"]["categories"] = params["post"]["categories"].split(",") params.require(:post).permit(:name, :email, :categories) end My action in my controller is as follows def update post = Post.find(params[:id] if post and post.update_attributes(post_params) redirect_to root_url else redirect_to posts_url end end However, whenever I submit the update the post, in my development log I see Unpermitted parameters: categories The parameters passed through is Parameters: {"utf8"=

I'm building a web app with Rails 4 strong parameters. When building the admin back office controllers, I wonder what is the best way to permit all the model attributes? For now, I wrote this: def user_params params.require(:user).permit(User.fields.keys) end Do you think of a better way? You can call the bang version of permit. params.require(:user).permit! Strong Params README on Github Source code for reference: def permit! each_pair do |key, value| convert_hashes_to_parameters(key, value) self[key].permit! if self[key].respond_to? :permit! end @permitted = true self end Skull0inc's answer

I am using the rails 4.0 branch of devise along with ruby 2.0.0p0 and Rails 4.0.0.beta1. This is the kind of question where I am checking if I'm doing it the right way, or if there are other things I should be doing. I'm sure a lot of people moving to Rails 4.0 are facing the same problems (after googling for similar things). I have read the following links: Devise and Strong Parameters https://gist.github.com/kazpsp/3350730 https://github.com/plataformatec/devise/tree/rails4#strong-parameters Now using devise I created a User model, I created the following controller using the above gists