load_and_authorize_resource and new with params causes ActiveModel::ForbiddenAttributesError about cancancan HOT 8 CLOSED

Hello everyone!
I had the same issue and got helped with this link
https://github.com/CanCanCommunity/cancancan/wiki/Strong-Parameters#by-model-name

All I had to change was name of mass assign method -- from plural to singular:
managers_params -> manager_params

from cancancan.

@runar You probably haven't defined a strong_parameters method... if you're using strong_parameters or Rails 4+, you have to sanitize your inputs. Check out: https://github.com/CanCanCommunity/cancancan/wiki/Strong-Parameters

from cancancan.

@bryanrite You’re right. Defining a create_params method solved the problem without the need to mess around with authorization. Now I just need to learn how the permit method really works. :)

Thank you!

from cancancan.

not sure if I am missing something you are trying to do, but your link to the comment page in the posts/show.html.erb seems to be incorrect. change it to:

<%= link_to 'Comment', new_comment_path(post_id: @post) %>

which will take you to the comments/new.html.erb

now if you want it to associate with that post, you can put a hidden field that uses that post_id you just passed.

You also might want to also consider nesting your comments in your posts. http://guides.rubyonrails.org/routing.html#nested-resources

from cancancan.

@presidentJFK is right, you shouldn't have ForbiddenAttributes errors on new actions. Checkout the wiki page on nested resources: https://github.com/CanCanCommunity/cancancan/wiki/Nested-Resources

You probably just need something like:

load_and_authorize :post
load_and_authorize :comment, through: :post, shallow: true

def new
end

This will associate the post properly automatically and enforce that the user can make a comment on the post. (ie. what would happen if someone used ?post_id=1234 on a post that was hidden or draft?)

from cancancan.

Ok, maybe I missed the point or the example of @znz is not so good. But what should I do to create a pre-filled form like comments/new?comment%5Btext%5D=Hello
I get an ActiveModel::ForbiddenAttributesError exception (explanation for that in the first post of @znz). Is this a bug or a feature?

from cancancan.

I’ve got a rather complex controller so I don’t know if the problem I experienced is the same as your problem, but when I used load_and_authorize_resource in my controller, the create action resulted in an ActiveModel::ForbiddenAttributesError error for all users, authorized or not.

I solved it by loading and authorizing all actions except create:

load_and_authorize_resource except: :create

And then by authorizing the create action:

def create
  authorize! :create, @model
  # Some more code …
end

I have to admit I don’t know enough about how Devise, CanCanCan and all that works to tell if this is a bug or a «feature», but I thought I’d let you know how I solved the problem.

from cancancan.

Thanks @victorpolko, after hours of digging your answer solved my problem.
load_and_authorize_resource relies on a standard name for you whitelist params method. It needs to be singular!

from cancancan.