Comments (8)
Hello everyone!
I had the same issue and got helped with this link
https://github.com/CanCanCommunity/cancancan/wiki/Strong-Parameters#by-model-name
All I had to change was name of mass assign method -- from plural to singular:
managers_params -> manager_params
from cancancan.
@runar You probably haven't defined a strong_parameters method... if you're using strong_parameters or Rails 4+, you have to sanitize your inputs. Check out: https://github.com/CanCanCommunity/cancancan/wiki/Strong-Parameters
from cancancan.
@bryanrite You’re right. Defining a create_params
method solved the problem without the need to mess around with authorization. Now I just need to learn how the permit
method really works. :)
Thank you!
from cancancan.
not sure if I am missing something you are trying to do, but your link to the comment page in the posts/show.html.erb seems to be incorrect. change it to:
<%= link_to 'Comment', new_comment_path(post_id: @post) %>
which will take you to the comments/new.html.erb
now if you want it to associate with that post, you can put a hidden field that uses that post_id you just passed.
You also might want to also consider nesting your comments in your posts. http://guides.rubyonrails.org/routing.html#nested-resources
from cancancan.
@presidentJFK is right, you shouldn't have ForbiddenAttributes errors on new actions. Checkout the wiki page on nested resources: https://github.com/CanCanCommunity/cancancan/wiki/Nested-Resources
You probably just need something like:
load_and_authorize :post
load_and_authorize :comment, through: :post, shallow: true
def new
end
This will associate the post properly automatically and enforce that the user can make a comment on the post. (ie. what would happen if someone used ?post_id=1234
on a post that was hidden or draft?)
from cancancan.
Ok, maybe I missed the point or the example of @znz is not so good. But what should I do to create a pre-filled form like comments/new?comment%5Btext%5D=Hello
I get an ActiveModel::ForbiddenAttributesError exception (explanation for that in the first post of @znz). Is this a bug or a feature?
from cancancan.
I’ve got a rather complex controller so I don’t know if the problem I experienced is the same as your problem, but when I used load_and_authorize_resource
in my controller, the create
action resulted in an ActiveModel::ForbiddenAttributesError
error for all users, authorized or not.
I solved it by loading and authorizing all actions except create:
load_and_authorize_resource except: :create
And then by authorizing the create
action:
def create
authorize! :create, @model
# Some more code …
end
I have to admit I don’t know enough about how Devise, CanCanCan and all that works to tell if this is a bug or a «feature», but I thought I’d let you know how I solved the problem.
from cancancan.
Thanks @victorpolko, after hours of digging your answer solved my problem.
load_and_authorize_resource
relies on a standard name for you whitelist params method. It needs to be singular!
from cancancan.
Related Issues (20)
- Polymorphic associations do not support computing the class HOT 12
- STI normalizer fails when existing rule conditions are relation HOT 2
- undefined method `#{parent_name}=' for singleton associations
- Nil values on enums fails to authorize
- Gemspec does not have Rails version dependency for various version of the gem
- cancancan is chaninging my get request ID HOT 1
- Deep conditions nesting on sqlite => stack overflow
- Selective permissions on STI sub-classes not respected by accessible_by HOT 1
- Granting read permission on intermediate STI table prevents any records being returned HOT 4
- inconsistent behaviour with Hash subjects
- `can?` unnecessarily loads relationships in memory when it could leverage `accessible_by` HOT 1
- can? should return false when there are no attributes that the current user can perform action on
- Possible breaking change with handling of `nil` conditions in 3.5.0
- How to define ability action name that is same as the default action aliases?
- Why are merged rules still bound to the merged Ability class?
- Extra table alias is being generated, but then ignored in the final stage of an accessible_by query HOT 1
- Creating resource failes when association is polymorphic and singleton.
- Can't apply rules to `create` action without affecting `new` because of aliasing HOT 12
- Resource Loader gets ignored with Whitespace-Only ID in URL (e.g., "\n")
- Support Rails's `attribute` in Cancancan's `permitted_attributes` HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cancancan.