1. 技术文章
  2. Elixir/Phoenix restrict params like Rails strong params

Elixir/Phoenix restrict params like Rails strong params

眉间皱痕 提交于 2019-12-31 02:23:06

问题


I am making an API only Phoenix app. I come from a Ruby on Rails background, so bear with me.

Say I have a User model with email, password, password_hash, and role fields.

I need to restrict the role and password_hash fields from user input, or whitelist the email and password fields. Right now anyone could POST this sign up as an admin:

{
    "user": {
        "email": "test3@test.com",
        "password": "testpw",
        "password_hash": "shouldn't allow user input",
        "role": "admin"
    }
}

This is typically accomplished in Rails using strong params, which will strip out fields that are not explicitly specified.

How do I do restrict/whitelist params with Phoenix using best practices?

This is my create method in my user_controller:

  def create(conn, %{"user" => user_params}) do
    changeset = User.registration_changeset(%User{}, user_params)
    ...
    ...
  end

And here is my schema and changesets in the model, user.ex. I'm following this tutorial, it says "we pipe the new changeset through our original one"

  schema "users" do
    field :email, :string
    field :password, :string, virtual: true
    field :password_hash, :string
    field :role, :string

    timestamps()
  end

  def changeset(model, params \\ :empty) do
    model
    |> cast(params, ~w(email), [])
    |> downcase_email()
    |> unique_constraint(:email)
    |> validate_format(:email, ~r/@/)
  end

  def registration_changeset(model, params) do
    model
    |> changeset(params)
    |> cast(params, ~w(password), [])
    |> validate_length(:password, min: 6)
    |> put_password_hash()
  end

Phoenix's scrub_params is close, but it doesn't sound like what I need.

I think I can accomplish this by pattern matching but I'm not sure how.


回答1:


Actually the code behaves as expected and does not save the role field. (I was reading the request in the console instead of actually checking the database.)




回答2:


I know this is late here but here is this approach:

defmodule MyApp.Utils do
  def strong_params(params, allowed_fields) when is_map(params) do
    allowed_strings = Enum.map(allowed_fields, &Atom.to_string(&1))

    Enum.reduce(params, [], fn {k, v}, acc ->
      key = check_key(k, allowed_strings)
      acc ++ [{key, v}]
    end)
    |> Enum.reject(fn {k, _v} -> k == nil end)
    |> Map.new()
  end

  defp check_key(k, allowed_strings) when is_atom(k) do
    str_key = Atom.to_string(k)

    if str_key in allowed_strings do
      k
    end
  end
  defp check_key(k, allowed_strings) when is_binary(k) do
    if k in allowed_strings do
      String.to_existing_atom(k)
    end
  end
  defp check_key(_, _), do: nil
end

Reference: https://medium.com/@alves.lcs/phoenix-strong-params-9db4bd9f56d8



来源:https://stackoverflow.com/questions/39938824/elixir-phoenix-restrict-params-like-rails-strong-params

标签
elixir
phoenix-framework
ecto
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!