CanCan ActiveModel::ForbiddenAttributesError with rails 4 #835
Comments
|
Hi @Crystark, welcome Rails and CanCan. The error you are running into (ActiveModel::ForbiddenAttributesError) is actually part of Rails 4 and the strong_parameters feature for model attributes. You can read more about how it works here: Edge Guides - Strong Parameters. Basically this is a way of saying that CanCan isn't ready out of the box for Rails 4. There are a number of work arounds in the issues you referenced. I'd play around with those and see if those work well for you. The other option is to create an authorization system from scratch. @ryanb shows how in the Railscast about strong_parameters Authorization from scratch - Part I Authorization from scratch - Part II (PRO episodes require a subscription). |
|
Oh, and if the issue is resolved can you close it? |
|
I'm using Rails 4 rc1 and CanCan 1.6.10 and I'm still getting this error when creating. Is there some additional work I must do to get it going? |
|
+1 for this. I'm having the same problem. |
|
+1, Using Rails 4 rc and cancan 1.6.1 |
|
+1, 4.0.0.rc1 + 1.6.10 - any workaround for this configuration? |
|
I use: |
|
Thanks, if someone has the same problem: #571 describes a workaround. In short: In the ApplicationController: before_filter do
resource = controller_name.singularize.to_sym
method = "#{resource}_params"
params[resource] &&= send(method) if respond_to?(method, true)
endand in the resource controller (for example NoteController): def note_params
params.require(:note).permit(:what, :ever)
end |
|
Hey, @AntonTrapp! This fixed my issue. CanCan 1.6.10 and Rails 4.0.0.rc1. Thanks. |
|
+1, 4.0.0.rc2 and 1.6.10. @AntonTrapp's fixs works here as well |
|
Thanks @AntonTrapp and I made some changes, now it's compatible with namespaces before_filter do
resource = controller_path.singularize.gsub('/', '_').to_sym
method = "#{resource}_params"
params[resource] &&= send(method) if respond_to?(method, true)
end |
|
Here's my workaround: # before_action :set_company, only: [:show, :edit, :update, :destroy]
before_action :load_company, only: :create
load_and_authorize_resource
private
# Use callbacks to share common setup or constraints between actions.
# def set_company
# @company = Company.find(params[:id])
# end
def load_company
@company = Company.new(company_params)
endSo it's cleaner and dryer without double loading the resource |
|
+1 on rails 4.0.0.rc2 and cancan 1.6.10 @AntonTrapp / @jirikolarik workaround is working for me. |
|
@AntonTrapp / @jirikolarik worked for me with Rails 4 release and cancan 1.6.10. Thanks for the short-term fix. |
|
Work around worked for me as well, thanks! |
|
Using cancan 1.6.1, ruby 2.0.0p247 and rails 4, and @AntonTrapp worked for me. Thank you. |
|
i get that error in Rails 4 and cancan (1.6.10) :( but if i use it work thanks for @mrfoto |
|
@obelich the problem with that workaround is that any authenticated user will create your used model |
|
+1 @AntonTrapp workaround fixes problem for me as well on 4.0.0. |
|
👍 Thanks @AntonTrapp for the workaround! |
|
@obelich @alagos yeah, DON'T use my "solution". As I've said, it's just to get it going but shouldn't be used on production. It was a temp fix I used so I could work without going in depth about this issue. I would suggest either the solution @AntonTrapp reposted or the one from @lecky which is even nicer IMHO. |
|
Thanks @AntonTrapp and @jirikolarik hopefully we will see a perm fix soon. |
|
👍 for solution proposed by @AntonTrapp / @jirikolarik |
|
Here is what worked for me....
module CanCan
class ControllerResource
alias_method :original_resource_params_by_namespaced, :resource_params_by_namespaced_name
def resource_params_by_namespaced_name
if (@controller && @params && @params[:action] == "create")
strong_params = @controller.method("#{namespaced_name.name.downcase}_params".to_sym)
params = strong_params.call if defined? strong_params
end
params ||= original_resource_params_by_namespaced
end
end
end
Note: def foo_params
params.require(:foo).permit(:what, :ever)
end |
|
Just FYI we now have CanCanCan which fixes this and many other issues on the original CanCan repo 😉 |
|
WARNING: before you all run to CanCanCan, it is 1.x only! |
|
Well 2.x isn't usable yet anyway, right? And they say they will start working on 2.x when they figure out what exactly @ryanb had in mind building it. What I'm trying to say is that their 2.x is the same as CanCan 2.x - there is no work being done anywhere 😄 |
|
It is for some, just don't want them to be disappointed (like me, rushed to your site immediately lol). |
|
I changed for Cancancan and did not have to change even one line of code for it to work. And FYI the fix I talked about in my first post has always been working. |
|
I just switched to CanCanCan and can also confirm that it is working without changing any code. I was able to remove the fix_cancan_forbidden_attr_error work-around in my application_controller.rb with any problems after switching to CanCanCan. |
|
@AntonTrapp +1 Cool, thanks |
|
Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013. CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994. If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan. We hope to see you on the other side! |
|
I lost 2 hours trying to find this bug ... Thank you! |
|
If you are getting the same error on new ( giving default params from the url) you can do this 👍 |
|
Hi guys i started rails in this week only. Please help. tc cheers, i cannot find where i can apply the workaround in rails admin |
|
@kodeycom switch to cancancan |
|
Switch to cancancan
|
|
I spent an hour trying to figure out this problem Great work |
|
Thank you @AntonTrapp 👍 |
|
+1 |
|
Merci @ombr , ça marche bien~ |
|
De rien ! It works, but on my projects I moved to cancancan. |
* quand on n'a pas les droits, on a un message d'erreur propre pour dire que c'est interdit, et on est redirigé * par contre, quand on a les droits pour faire un CREATE sur une table, on a une erreur ActiveModel::ForbiddenAttributesError qui d'après recherches, serait dûe au fait que CanCan n'a pas été mis à jour pour Rails 4 (cf ryanb/cancan#835) Il est donc conseillé d'utiliser la nouvelle version de CanCan, à savoir CanCanCan: https://github.com/CanCanCommunity/cancancan
… user info without specifying a "new" password ryanb/cancan#835 , see this for new info on other solutions to the problem.
|
@AntonTrapp,Thank you for help! |
|
Thanks, @AntonTrapp, your solution fixed my issue. 👍 |
Solved in cancancan Fixed in cancancan: ryanb/cancan#835 (comment)
|
i had AdjustmentTask model and adj_task_params in its controller |
and others
Hi,
I'm quite new to rails and i'm going for a Devise-CanCan-SimpleRoles approach on my project. I'm using CanCan 1.6.9.
It seems that since i rebuilt the project from scratch on rails4 beta1, i'm getting a
ActiveModel::ForbiddenAttributesErrorwhen i try to create any entity using a controller wich extends my ApplicationController.This seems to come from :
I've tried using
load_and_authorize_resourceinstead but it does the same error.I think this might have to do with #763 and #571 but as i'm still quite new to rails, i'd rather be sure this issue is reported.
Thanks
Here's the full stacktrace of the error:
The text was updated successfully, but these errors were encountered: