Strong Params: params.permit returns Untranslated parameters despite whitelist

Question

Strong Params: params.permit returns Untranslated parameters despite whitelist

UsersProfileController has strong parameters that look like this:

    def user_profile_params
      params.permit(:age, :relations)
      # yes, I am not requiring user_profile. Just permitting attributes I need. 
    end

The create action creates a UserProfile through the parent (has-one and belongs to the association)

    def create
      parent = Parent.create_guest
      parent.build_user_profile(user_profile_params)
      if parent.save 
        # do something 
      else 
        # handle error
      end
    end

The calling parameters in UserProfiles are returned:

    <ActionController::Parameters 
      {"age"=>"23", 
       "relations"=>"3", 
       "subdomain"=>"api", 
       "format"=>:json, 
       "controller"=>"api/v1/user_profiles", 
       "action"=>"create"} 
     permitted: false>

Calling user_profile_params returns this:

    user_profile_params:
      Unpermitted parameters: subdomain, format
      <ActionController::Parameters 
       {"age"=>"23", 
       "relations"=>"3", } 
      permitted: true>

When a submit request arrives, I expect that I can create user_profile using the whitelisted parameters in user_profile_params. Instead, the action createin UserProfiles fails with an error: Unpermitted parameters: subdomain, format.

This is not what I expected. I expected user_profile_params to include only valid values and ignore all the others.

I might add :format, and :subdomainthe list of allowed attributes, but something is wrong.

- , / ?

+4

ruby ruby-on-rails parameters ruby-on-rails-5 strong-parameters

Uzzar 21 . '17 0:29

1

mrlew · Accepted Answer · 2017-01-21T02:49:27+0000

, /. , .

docs:

, , . .
, , config.action_controller.action_on_unpermitted_parameters . : log , : .

(rails c):

fake_params_hash = {
    "age"=>"23", 
    "relations"=>"3", 
    "subdomain"=>"api", 
    "format"=>:json, 
    "controller"=>"api/v1/user_profiles", 
    "action"=>"create"
} 

permited_params = ActionController::Parameters.new(fake_params_hash).permit(:age, :relations)
#=> Unpermitted parameters: subdomain, format <== warning logged to the console
#=> <ActionController::Parameters {"age"=>"23", "relations"=>"3"} permitted: true>


user = User.create(permited_params) #mass assigment with permited params

#check if there are errors
puts user.errors.messages if user.errors.any?

, User.create, .permit.

Strong Params: params.permit returns Untranslated parameters despite whitelist

More articles: