7su*_*ami 5 authentication ruby-on-rails devise strong-parameters ruby-on-rails-4
我是Ruby on Rails环境的新手,也是我能够解决的大多数问题,但我还没有找到解决这个问题的方法.
提供上下文:
我的问题
当我使用Devise的注册签署新用户时.:name字段未添加到数据库中.请参阅服务器输出
用户模型(app/models/user.rb)
:name包含在attr_accessible中.
class User < ActiveRecord::Base
rolify
# Include default devise modules. Others available are:
# :token_authenticatable, :confirmable,
# :lockable, :timeoutable and :omniauthable
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
# Setup accessible (or protected) attributes for your model
attr_accessible :role_ids, :as => :admin
attr_accessible :name, :email, :password, :password_confirmation, :remember_me
end
用户控制器(app/controllers/users_controller.rb).
为了与Rails 4保持一致,我添加了params白名单,但这并没有解决问题.
class UsersController < ApplicationController
before_filter :authenticate_user!
def index
authorize! :index, @user, :message => 'Not authorized as an administrator.'
@users = User.all
end
def show
@user = User.find(params[:id])
end
def update
authorize! :update, @user, :message => 'Not authorized as an administrator.'
@user = User.find(params[:id])
if @user.update_attributes(params[:user], :as => :admin)
redirect_to users_path, :notice => "User updated."
else
redirect_to users_path, :alert => "Unable to update user."
end
end
def destroy
authorize! :destroy, @user, :message => 'Not authorized as an administrator.'
user = User.find(params[:id])
unless user == current_user
user.destroy
redirect_to users_path, :notice => "User deleted."
else
redirect_to users_path, :notice => "Can't delete yourself."
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_user
@user = User.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def user_params
params.require(:user).permit(:name, :email, :password, :password_confirmation, :remember_me)
end
end
Devise的新注册视图(app/views/devise/registrations/new.html.erb)
<h2>Sign up</h2>
<%= simple_form_for(resource, :as => resource_name, :url => registration_path(resource_name), :html => {:class => 'form-vertical' }) do |f| %>
<%= f.error_notification %>
<%= display_base_errors resource %>
<%= f.input :name, :autofocus => true %>
<%= f.input :email, :required => true %>
<%= f.input :password, :required => true %>
<%= f.input :password_confirmation, :required => true %>
<%= f.button :submit, 'Sign up', :class => 'btn-primary' %>
<% end %>
<%= render "devise/shared/links" %>
应用程序控制器(app/controllers/application_controller.rb)
我遵循了关于强参数的说明,并且包括了Devise的懒人方法
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
before_filter :configure_permitted_parameters, if: :devise_controller?
rescue_from CanCan::AccessDenied do |exception|
redirect_to root_path, :alert => exception.message
end
protected
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:name, :email) }
end
end
创建新用户时的服务器输出.
Started POST "/users" for 127.0.0.1 at 2013-07-16 15:31:20 +1000
Processing by Devise::RegistrationsController#create as HTML
Parameters: {"utf8"=>"?", "authenticity_token"=>"TYp9xOgtdKJI62rUddU7EE1C7FDF5qnmWgGENluzaWk=", "user"=>{"name"=>"John Smith", "email"=>"john.smith@example.com", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"}, "commit"=>"Sign up"}
Unpermitted parameters: name
(0.1ms) begin transaction
User Exists (0.1ms) SELECT 1 AS one FROM "users" WHERE "users"."email" = 'john.smith@example.com' LIMIT 1
Binary data inserted for `string` type on column `encrypted_password`
SQL (0.3ms) INSERT INTO "users" ("created_at", "email", "encrypted_password", "updated_at") VALUES (?, ?, ?, ?) [["created_at", Tue, 16 Jul 2013 05:31:20 UTC +00:00], ["email", "john.smith@example.com"], ["encrypted_password", "$2a$10$kMfZLiBm6md0zoWXd0esjO/IRHBC72444ABDKcXVhPa6mCco9pIJu"], ["updated_at", Tue, 16 Jul 2013 05:31:20 UTC +00:00]]
(17.0ms) commit transaction
(0.1ms) begin transaction
Binary data inserted for `string` type on column `last_sign_in_ip`
Binary data inserted for `string` type on column `current_sign_in_ip`
SQL (0.4ms) UPDATE "users" SET "last_sign_in_at" = ?, "current_sign_in_at" = ?, "last_sign_in_ip" = ?, "current_sign_in_ip" = ?, "sign_in_count" = ?, "updated_at" = ? WHERE "users"."id" = 3 [["last_sign_in_at", Tue, 16 Jul 2013 05:31:20 UTC +00:00], ["current_sign_in_at", Tue, 16 Jul 2013 05:31:20 UTC +00:00], ["last_sign_in_ip", "127.0.0.1"], ["current_sign_in_ip", "127.0.0.1"], ["sign_in_count", 1], ["updated_at", Tue, 16 Jul 2013 05:31:20 UTC +00:00]]
(1.1ms) commit transaction
Redirected to http://0.0.0.0:3000/
Completed 302 Found in 94ms (ActiveRecord: 19.0ms)
我的结论
毕竟我认为问题在于Devise的 registration_controller,但是我不确定如何访问控制器并纠正这个问题,或者这是问题的真正原因.我希望这很简单,我只是忽略了它.
如果有人遇到这个问题或者可以对情况有所了解,那将非常感激.
干杯.
Ars*_*n T 10
Rails 4使用强参数.
您必须允许您希望通过控制器传递的参数进行建模.换句话说,现在不允许通过参数直接关联到模型中的属性,您必须指定是否有任何参数值通过控制器传递给模型.
您可以在此博客上找到一些帮助:http: //edgeapi.rubyonrails.org/classes/ActionController/StrongParameters.html
或者好像我们考虑你的问题,你可以覆盖SessionsController进行设计或使用
devise_parameter_sanitizer(:sign_up)
更多帮助可以在这里找到:https://github.com/plataformatec/devise#strong-parameters
添加
before_action :configure_permitted_parameters, if: :devise_controller?
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:name, :email) }
devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:name, :email, :password, :password_confirmation) }
devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:name, :email, :password, :password_confirmation, :current_password) }
end
我的application_controller为我工作
UPDATE
before_action :configure_permitted_parameters, if: :devise_controller?
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_in, keys: [:name, :email])
devise_parameter_sanitizer.permit(:sign_up, keys: [:name, :email, :password, :password_confirmation])
devise_parameter_sanitizer.permit(:account_update, keys: [:name, :email, :password, :password_confirmation, :current_password])
end
看起来设计更新了他们的文档,他们希望它像上面那样设置.