Reputation: 141
Ruby on Rails - Forbidden Attributes on params?
Im trying to redirect someone after they click a button and I keep getting the following error:
ActiveModel::ForbiddenAttributesError
Extracted source (around line #20):
It is throwing the error on the @post = Post.new line.
def create
@post = Post.new(params[:post])
if @post.save
redirect_to posts_path, :notice => "Your post was saved"
I am very new to Ruby and at the moment I am very confused of what this means. I am just following a tutorial and mine isnt working. If anyone could help that would be awesome :D
Upvotes: 0
Views: 1065
Answers (2)
Reputation: 1461
While I don't have quite enough of your code to specifically answer the question, I can probably get pretty close (minus some column/attribute naming). With strong_params now the standard for Rails applications, you'd probably be looking to do something more like:
def create
@post = Post.new(post_params)
if @post.save
redirect_to posts_path, :notice => "Your post was saved"
else
#other stuff here
end
end
private
def post_params
params.require(:post).permit(:content, ....etc) #I took a guess at the attributes you are passing through your params on the create.
end
For a little extra easy-reading on the history/reason: http://blog.8thlight.com/will-warner/2014/04/05/strong-parameters-in-rails.html
Let me know if you'd like any additional clarification.
Upvotes: 1
Reputation: 36880
@post = Post.new(params[:post])
... is no longer used in the latest versions of rails. The problem is that it provided weak security. Someone who was updating their user profile (for example) could theoretically insert an attribute like "administrator: true" to change themselves into an administrator (if that's how admin flag is stored)
Strong parameters now require that you explicity specify which attributes you want to allow to be entered.
So nowadays we do...
@post = Post.new(post_params)
And we have a method later in the controller that specifies the permitted attributes, and looks like...
def post_params
params.require(:post).permit(:title, :body)
end
Upvotes: 3
Related Questions
- Rails 5 - Forbidden Attributes
- Forbidden Attributes Error
- Strong params with permitted_attributes (in Solidus)
- Yet another forbidden attributes error - cannot find where I am going wrong with this
- why am I getting a ForbiddenAttributesError when using protected_attributes gem
- How to permit strong params for nested attributes?
- Rails 4 Permitted Params with nested attributes
- Params Error (ActiveModel::ForbiddenAttributesError)
- Unpermitted parameters error for permitted attributes
- Rails user params only allows some certain attributes