ActiveModel::ForbiddenAttributesError + cancan + rails 4 + model with scoped controller

StackOverflow https://stackoverflow.com/questions/19273182

Question

I m using cancan(1.6.10) with rails 4.0.0. I have a model called 'App'(not scoped) and a controller Admin::AppsController(its scoped. ie app/controllers/admin/apps_controller).

the controller code is as

class Admin::AppsController < ApplicationController
  before_filter :authenticate_user!
  load_and_authorize_resource class: App

  def index
  end

  #CRUD methods and some other custom methods
  ...

  private

  def app_params
    params.require(:app).permit(:name, :description, :author, :url_path, :validated, :active, :version)
  end
end

I m getting error when i try to create a 'app'. 

ActiveModel::ForbiddenAttributesError - ActiveModel::ForbiddenAttributesError:
activemodel (4.0.0) lib/active_model/forbidden_attributes_protection.rb:21:in `sanitize_for_mass_assignment'

I added 

before_filter do
  resource = controller_path.singularize.gsub('/', '_').to_sym
  method = "#{resource}_params"
  params[resource] &&= send(method) if respond_to?(method, true)
end

as specified in https://github.com/ryanb/cancan/issues/835#issuecomment-18663815 but still getting the above error.

Was it helpful?

Solution

Using name spaces. Please try to change your code to this one below. I had same issue after @JiriKolarik suggested his solution to work with name spaces. I hope it helps. 

  before_filter do
    resource = controller_name.singularize.to_sym
    method = "#{resource}_params"
    params[resource] &&= send(method) if respond_to?(method, true)
  end

OTHER TIPS

if you use this workflow

before_filter do
  resource = controller_path.singularize.gsub('/', '_').to_sym
  method = "#{resource}_params"
  params[resource] &&= send(method) if respond_to?(method, true)
end

then your params method should look like this

  def admin_app_params
    params.require(:admin_app).permit(:name, :description, :author, :url_path, :validated, :active, :version)
  end

The reason why, it's because form generators (form_form, simple_form) generate params with namespace_resource

So if you have Blog::Post, form generator will create params like this

{ "blog_post"=>{"title"=>"Post"}, "commit"=>"Create", "action"=>"create", "controller"=>"blog/posts", "locale"=>"en"}

And this is how before filter works:

before_filter do
  resource = controller_path.singularize.gsub('/', '_').to_sym # => 'blog/posts' => 'blog/post' => 'blog_post' => :blog_post
  method = "#{resource}_params" # => 'blog_post_params'
  params[resource] &&= send(method) if respond_to?(method, true) # => params[:blog_post]
end

If you need read :blog_post from params, solution above will not work. If you need read :post from params, then this solution will not work, if your controller will be blog/post

cancan just does not work with the strong parameter. While there is a new gem cancancan which works well without any code change.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top