Solution came to me in my sleep. Here's what I did to solve the problem:
The only reason comment_params
wasn't normally having a problem on create, was because I was excluding the extra :parent_comment_id
parameter, like this:
@comment = post.comment.create(comment_params.except(:parent_comment_id))
When CanCan used the comment_params
method however, it did no such sanitation. Hence, the problem. It would have been messy to add that sanitation to CanCan on a per-controller basis, so I did what I should have done all along and instead of passing the :parent_comment_id
inside :comment
, I used hidden_field_tag
to pass it outside of :comment
and accessed it through plain, old params
.
I hope this helps someone else who makes a similar mistake!