CODEWITHSUNDEEP
ruby-on-railsrubywebdevise
snovosel
snovosel

Reputation: 91

Unpermitted parameters despite whitelisting attribute rails 4

I have an attribute :completed, that is a boolean value (true/false). On the index page, I have a check box that I would like to, when checked, update that value for the object. Here is what I have for the check box:

<div class="task_area">
      <%= link_to task.title, task_path(task), class: 'wrapper_task_name'%>
      <%= form_for task do |f| %>
        <%= f.check_box :completed %>
        <%= f.submit 'update' %>
      <% end %>
</div>

I whitelisted the attribute :completed in my tasks_controller.rb:

def task_params
    params.require(:task).permit(:title, :text, :boolean, :current_user, :email, )
end

But in the log I get:

Started PATCH "/tasks/45" for ::1 at 2016-10-16 17:35:43 -0400
Processing by TasksController#update as HTML
  Parameters: {"utf8"=>"���", "authenticity_token"=>"ogAki1fvq6Eq+ONwjxeYwf+ZOrmkv+EAuDmZRTEEJ05xB3cf/XyHEavNDZyBWUOL0gUuEOglyM2uDNoJHcDcJg==", "task"=>{"completed"=>"1"}, "commit"=>"update", "id"=>"45"}
  User Load (0.8ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = $1  ORDER BY "users"."id" ASC LIMIT 1  [["id", 1]]
  Task Load (0.7ms)  SELECT  "tasks".* FROM "tasks" WHERE "tasks"."user_id" = $1 AND "tasks"."id" = $2 LIMIT 1  [["user_id", "1"], ["id", 45]]
Unpermitted parameter: completed
   (0.4ms)  BEGIN
   (0.4ms)  COMMIT
Redirected to http://localhost:3000/
Completed 302 Found in 22ms (ActiveRecord: 2.3ms)

I'm wondering if having devise require user authentication is causing this problem. Does anyone have any idea as to what I can do to fix this?

Upvotes: 2

Views: 501

Answers (3)

Junan Chakma
Junan Chakma

Reputation: 651

You have added the type(boolean) of completed_at in your white-listed params of tasks_controller. It should be like this

def task_params
 params.require(:task).permit(:title, :text, :completed, :current_user, :email)
end

Upvotes: 0

Georg Keferb&#246;ck
Georg Keferb&#246;ck

Reputation: 1977

def task_params
    params.require(:task).permit(:title, :text, :current_user, :email, :completed)
end

With the code above completed is whitelisted.

Upvotes: 0

Taryn East
Taryn East

Reputation: 27747

The name of the field is :completed not :boolean - this is what you need to put in your permit line. eg:

def task_params
  params.require(:task).permit(:title, :text, :completed, :current_user, :email)
end

Also can I strongly recommend against having :current_user a a permitted field? This will allow a malicious user to create a task for another user. I'd leave it off the permitted list and add it manually in the create method eg with current_user.tasks.create(task_params)

Upvotes: 4

Related Questions