问题
After upgrading Rails 4.1.4 to 4.1.5 i get errors with my facebook omniauth session everything was working fine since then.
When i create a User Session i get an ActiveModel::ForbiddenAttributesError
Route:
match 'auth/:provider/callback', to: 'sessions#create', as: 'signin', via: :get
Session#create controller:
def create
user = User.from_omniauth(env["omniauth.auth"])
session[:user_id] = user.id
session[:user_name] = user.name
redirect_to root_path
end
and a user model like this:
def self.from_omniauth(auth)
where(auth.slice(:provider, :uid)).first_or_create.tap do |user|
user.provider ||= auth.provider
user.uid = auth.uid
user.name = auth.info.name
user.save
end
end
I can bypass the ActiveModel error by adding a permit! method in my User Model like that:
where(auth.slice(:provider, :uid).permit!).first_or_create.tap do |user|
But it override the first user from the database...
The session[:user_id]
seems to always be the first User from the database.
I don't know if it's a strong parameters problem, an Omniauth problem or both?
回答1:
Replace you current finder:
def self.from_omniauth(auth)
where(provider: auth.provider, uid: auth.uid).first_or_create do |user|
user.provider = auth.provider
user.uid = auth.uid
user.name = auth.info.name
user.save
end
end
回答2:
I created a detailed writeup of what is happening here:
Rails 4.1.5 Security Fix Breaks Model.where(attributes)
Snippet:
YIKES! Rails 4.1.5 requires you to use safe params for any param to where that is_a? Hash For example, if you were doing a Model.where using slice to take some keys out of some object that derives from Hash, then your code will throw this error when you migrate from Rails 4.1.4 to Rails 4.1.5:
An ActiveModel::ForbiddenAttributesError occurred in omniauth_callbacks#facebook: ActiveModel::ForbiddenAttributesError
回答3:
My solution is like this.
# extend the object and add method
auth_hash_extended = auth.slice(:provider, :uid)
def auth_hash_extended.permitted?()
true
end
where( auth_hash_extended ).first_or_create do |user|
user.provider = auth.provider
#blablabla
end
If you have difficulty in separating hash into key-value sets, you may use this way.
来源:https://stackoverflow.com/questions/25399414/rails-4-1-5-omniauth-strong-parameters