strong-parameters

I'm rendering a model and it's children Books in JSON like so: {"id":2,"complete":false,"private":false, "books" [{ "id":2,"name":"Some Book"},..... I then come to update this model by passing the same JSON back to my controller and I get the following error: ActiveRecord::AssociationTypeMismatch (Book (#2245089560) expected, got ActionController::Parameters(#2153445460)) In my controller I'm using the following to update: @project.update_attributes!(project_params) private def project_params params.permit(:id, { books: [:id] } ) end No matter which attributes I whitelist in permit I can't

I have the following params and cannot get the strong parameters to work. Here's my basic code, runnable in the Rails console for simplicity: json = { id: 1, answers_attributes: { c1: { id: "", content: "Hi" }, c2: { id: "", content: "Ho" } } } params = ActionController::Parameters.new(json) Everything I've read says the following should work, but it only gives me the id and an empty hash of answers_attributes : params.permit(:id, answers_attributes: [:id, :content]) => { "id"=>1, "answers_attributes"=>{} } If I instead manually list c1 and c2 (like below) it works, but this is really stupid

So there doesn't appear to be any clean way to generically allow Hash field with strong parameters. This may of course be a strong parameters issue but I'm curious if there is a workaround. I have a model with some fields... field :name, type: String field :email, type: String field :other_stuff, type: Hash, default: {} Now I could just permit everything: params.require(:registration).permit! But that isn't really a great idea and what I'd like to do is something like... params.require(:registration).permit(:name, :email, { other_stuff: {} }) However this doesn't seem to be possible with

The official way of preventing security risks with mass-assignment is using attr_accessible . However, some programmers feel this is not a job for the model (or at least not only for the model). The simplest way of doing it in a controller is slicing the params hash: @user = User.update_attributes(params[:user].slice(:name)) However the documentation states: Note that using Hash#except or Hash#slice in place of attr_accessible to sanitize attributes won’t provide sufficient protection. Why is that? Why a whitelist-slicing of params does not provide enough protection? UPDATE: Rails 4.0 will

I have a standard RESTful controller that uses strong parameters. class UsersController < ApplicationController respond_to :html, :js def index @users = User.all end def show @user = User.find(params[:id]) end def new @user = User.new end def edit @user = User.find(params[:id]) end def create @user = User.new(safe_params) if @user.save redirect_to @user, notice: t('users.controller.create.success') else render :new end end def update @user = User.find(params[:id]) if @user.update_attributes(safe_params) redirect_to @user, notice: t('users.controller.update.success') else render :edit end end

I'm attempting to pass json up on the client side and have rails take care of handling the object creation. Here are my models: class Order < ActiveRecord::Base has_many :order_items, :autosave => true belongs_to :menu_session end class OrderItem < ActiveRecord::Base belongs_to :order has_one :menu_item end Controller class OrderController < ApplicationController #POST /order/create def create @order = Order.new(order_params) @order.save end private def order_params params.require(:order).permit(:comments, :menu_session_id, :order_items => [:menu_item_id]) end end The json data: {'order': {

With Ruby 1.9.3, Rails 3.2.13, Strong_parameters 0.2.1: I have followed every indication in tutorials and railscasts, but I can not get strong_parameters working. It should be something really simple, but I can not see where is the error. config/initializers/strong_parameters.rb: ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection) config/application.rb config.active_record.whitelist_attributes = false app/models/product.rb class Product < ActiveRecord::Base end app/controllers/products_controller.rb: class ExpedientesController < ApplicationController ... def create

I wan't to permit certain parameters depending on the current user's role. E.g: only permit the role attribute if the user is an administrator. Is this possible? Yes, it's possible. You can do something like this : def user_params # List of common params list_params_allowed = [:email, :title, :last_name, :first_name, :phone] # Add the params only for admin list_params_allowed << :role if current_user.admin? params.require(:user).permit(list_params_allowed) end This way, if later you have new params, you only have to add in one list (avoids error). If you have more than one param to add for the