According to Rails documentation
config.filter_parameters used for filtering out the parameters that
you don't want shown in the logs, such as passwords or credit card
numbers. By default, Rails filters out passwords by adding
Rails.application.config.filter_parameters += [:password] in
config/initializers/filter_parameter_logging.rb. Parameters filter
works by partial matching regular expression.
So, why when I submit the form below
<%= form_with model: #user, url: admin_user_path, method: :delete do %>
<%= label_tag :password, t('forms.password') %>
<%= text_field_tag :password, nil %>
<%= button_tag t('forms.save'), type: 'submit' %>
<% end %>
I can see my password in the log?
<ActionController::Parameters {"utf8"=>"✓", "_method"=>"delete", "authenticity_token"=>"r22P2Mi1xcWOjRHGogoFaDcOec9/FgkC9btCo66qmqaKG/zwzUkbUGtATsTKV19OOYK80VBf1h0CzFtoRltQOA==", "password"=>"x", "button"=>"", "controller"=>"admin/users", "action"=>"destroy", "id"=>"at-example-com"} permitted: false>
Shouldn't the password be [FILTERED]?
The piece of code you're showing isn't from a log:
<ActionController::Parameters {"utf8"=>"✓", "_method"=>"delete", "authenticity_token"=>"r22P2Mi1xcWOjRHGogoFaDcOec9/FgkC9btCo66qmqaKG/zwzUkbUGtATsTKV19OOYK80VBf1h0CzFtoRltQOA==", "password"=>"x", "button"=>"", "controller"=>"admin/users", "action"=>"destroy", "id"=>"at-example-com"} permitted: false>
That output from the command like puts(params). The option filter_parameters is about log file which placed under log directory. E.g. log/development.log
Here is a piece of log file:
Processing by UsersController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"mxQJeccoEATtyCFy1eV", "user"=>{"first_name"=>"Juggy Head", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"}, "commit"=>"Create user"}
You have used text_field_tag (It's going to input type text) that's why it's showing value in the log you need to use password_field_tag (It's going to input type password) like below
<%= form_with model: #user, url: admin_user_path, method: :delete do %>
<%= label_tag :password, t('forms.password') %>
<%= password_field_tag :password, nil %>
<%= button_tag t('forms.save'), type: 'submit' %>
<% end %>
Rails API doc here
For instance, password filtering to use above code
Update
I completely agree with this answer Зелёный
Related
I'm trying to get Uppy jiving with a Rails upload form, but I'm having trouble getting it setup properly. The resulting params hash is missing its initial :image object. In a typical Rails form, I assume this is taken care of whenever its bound to a model instance. But I'm not sure how to do something like that with an Uppy form.
Just thinking out loud here, but maybe it has something to do with how I'm setting the endpoint option?
EDIT: And to clarify, I'm just trying to get it setup for a development environment, using localhost:3000 and storing everything locally for now
Here's the "standard" Rails form (withOUT uppy):
<%= form_for #image, html: { multipart: true } do |f| %>
<%= render 'shared/error_messages', object: f.object %>
<div class="field">
<%= f.label :file %><br>
<%= f.file_field :file %>
</div>
<div class="actions">
<%= f.submit "Upload Images" %>
</div>
<% end %>
And its resulting params hash:
=> <ActionController::Parameters {"utf8"=>"✓", "authenticity_token"=>"Cr9NAN6NE9JV6HrI7RE7EmjmxqnlfbWk+LT5k9yLuq1Sm0L9E/zJ/eXCDcjbyw7A6lUHP2LFBqbfjY+SWoeO+w==", "image"=>{"file"=>#<ActionDispatch::Http::UploadedFile:0x000055d297d74168 #tempfile=#<Tempfile:/tmp/RackMultipart20200328-12356-1qjsycd.png>, #original_filename="Screenshot from 2019-07-22 04-24-23.png", #content_type="image/png", #headers="Content-Disposition: form-data; name=\"image[file]\"; filename=\"Screenshot from 2019-07-22 04-24-23.png\"\r\nContent-Type: image/png\r\n">}, "commit"=>"Upload Images", "controller"=>"images", "action"=>"create"} permitted: false>
And here's my attempt at an Uppy form:
<%= form_for #image, html: { id: "uppy-form" } do |f| %>
<%= render 'shared/error_messages', object: f.object %>
<%= f.hidden_field :file, multiple: true, name: "images[file]", value: #image.file_data,
accept: 'image/jpg,image/jpeg,image/gif,image/png,image/tif,image/tiff', class: "upload-hidden" %>
<%= hidden_field_tag :authenticity_token, form_authenticity_token, id: :form_token %>
<% end %>
<script>
const XHRUpload = Uppy.XHRUpload
var uppy = Uppy.Core()
.use(Uppy.Dashboard, {
inline: true,
target: '#uppy-form'
})
.use(XHRUpload, {
endpoint: '/images',
fieldName: 'images[file]'
})
.setMeta({
authenticity_token: $("#form_token").attr('value')
})
uppy.on('complete', (result) => {
console.log(`Upload complete! We've uploaded these files:`, result.successful)
})
</script>
The resulting error when calling $ params
Completed 400 Bad Request in 5328ms (ActiveRecord: 0.4ms | Allocations: 40383)
ActionController::ParameterMissing - param is missing or the value is empty: image:
And the params in full
=> <ActionController::Parameters {"authenticity_token"=>"CYUz9AszYR4G0WEiI4bDoOlUyH4jFMzAVRf4vF6m6OJRoTwJxkK7Mbb7FiIVXPZya+cJ6KSsf8JyLo692KrctA==", "relativePath"=>"null", "name"=>"Screenshot from 2019-07-10 06-34-34.png", "type"=>"image/png", "exifdata"=>"[object Object]", "images"=>{"file"=>#<ActionDispatch::Http::UploadedFile:0x000055d2962c49d0 #tempfile=#<Tempfile:/tmp/RackMultipart20200328-12359-1d093y1.png>, #original_filename="Screenshot from 2019-07-10 06-34-34.png", #content_type="image/png", #headers="Content-Disposition: form-data; name=\"images[file]\"; filename=\"Screenshot from 2019-07-10 06-34-34.png\"\r\nContent-Type: image/png\r\n">}, "controller"=>"images", "action"=>"create"} permitted: false>
In the ImagesController, here is how image_params is defined. It's that initial .require(:image) that I think is missing when it gets sent over:
def image_params
params.require(:image).
permit(...)
end
Got it!
Had a typo in the fieldName
I previously had it as images[file], it should be image[file]
I have:
<%= form_with url: retrieve_videos_path, local: true do |form| %>
# some form stuff
<%= form.submit %>
<% end %>
And when I submit it, logs signal about unpermitted parameters: Unpermitted parameters: :utf8, :authenticity_token, :commit
I guess, in forms for models these parameters are permitted by the 'require' method like:
params.require(:model).permit(:params_stuff)
But how to make the same for urls?
Simple question about Simple Form:
I've an attribute in a user model for a token I'd like marked as [FILTERED] when passed over the network (as the password field does by default).
e.g.
I have:
Parameters: { "token"=>"WYXe3Z24JmUq", "email"=>"test#testing.com",
"password"=>"[FILTERED]"}}
I want:
Parameters: { "token"=>"[FILTERED]", "email"=>"test#testing.com",
"password"=>"[FILTERED]"}}
and an example form:
<%= simple_form_for #user do |f| %>
<%= f.input :token %>
<%= f.input :email %>
<%= f.input :password %>
<%= f.input :password_confirmation %>
<%= f.button :submit %>
<% end %>
What option do I need to add to the field to achieve this? I'm certain there's an option, but I can't seem to find it anywhere.
Thanks in advance!
Steve.
in application.rb do the following:
config.filter_parameters += [:password, :token]
check this answer: How to filter parameters in rails?
Rails 4
As a side note, config.filter_paramters has been moved it it's own initializers.
config/initializers/filter_paramter_logging.rb
You need to add the below line of code to filter the token and password
# Be sure to restart your server when you modify this file.
# Configure sensitive parameters which will be filtered from the log file.
Rails.application.config.filter_parameters += [:password, :token]
On multiple parts of my site I'm receiving WARNING: Can't verify CSRF token authenticity in my log file, which is resetting my sessions. However, I have the authenticity tokens:
Started POST "/check_out/shopping_cart_with_authenticated_user" for 10.189.254.5 at 2013-09-12 11:19:02 -0400
Processing by CheckOutController#shopping_cart_with_authenticated_user as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"rGcLQAR/s7zRNf2WEqkuD7ar8IXs0alt7szJKSfgLio="}
SESSION VARIABLES ARE: {}
WARNING: Can't verify CSRF token authenticity
and here:
Processing by SessionsController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"N1F53oN1fTv2Ysg/27biH14dDyTtkm2RinAUqSHwGAs=", "user"=>{"email"=>"liz#nsdfsdfsdfsry.com", "password"=>"[FILTERED]"}, "commit"=>"Sign in"}
SESSION VARIABLES ARE: {"current_cart_id"=>55175183, "_csrf_token"=>"HzPm7DHLslbV76wJ3ahCqPkOO4bv5k5CkjKBe3C9WHE=", "flash"=>#<ActionDispatch::Flash::FlashHash:0x00000005f1e028 #used=#<Set: {}>, #closed=false, #flashes={}, #now=#<ActionDispatch::Flash::FlashNow:0x00000005e81570 #flash=#<ActionDispatch::Flash::FlashHash:0x00000005f1e028 ...>>>, "warden.user.user.key"=>["User", [358060], "$2a$12$VcSeYjhwx6JkgERnlN0clu"], "logged_in_by_password"=>true, "user_id"=>358060}
WARNING: Can't verify CSRF token authenticity
What's the deal? I'm using Rails generated forms. Here's an example of a Devise form I'm using:
<%= form_for(resource, :as => resource_name, :url => session_path(resource_name)) do |f| %>
<%= token_tag form_authenticity_token %>
<div class="formField"><label for="email">Email <span>example: jane#example.com</span></label>
<%= f.email_field :email, :autofocus => true, :id => "email", :class => "textfield col" %></div>
<div class="formField"><label for="password">Password <span>is cAsE sEnSiTiVe</span></label>
<%= f.password_field :password, :class => "textfield col" %></div>
<div><%= f.submit "Sign in", :disable_with => "Signing in…".html_safe,:id => 'log_in', :class => 'button-red-shiny full-width ' %></div>
<% end %>
== UPDATE ==
So eventually I closed the browser and reopened it and it worked again... But it bothers me that this has happened on multiple occasions. Anyone know how I could prevent it from occurring again?
Your CSRF token isn't being matched between the client and the server. This causes this error to occur.
I can see the the id inside the parameters in the log but i cant access it in the controller.Can any body please show me how else i could do?Apparently
#city=City.find(params[:cities][:city_id]) is not doing the job.Thank you
<%= form_for :city, :url=>{:action =>"next"} do |f| %>
<%= f.collection_select(:city_id, City.all, :id, :name ,:prompt=>"Select your city") %>
<%=f.submit "continue" %>
<%end%>
Home controller
def next
#city=City.find(params[:city_id])
session[:city_id] = #city.id
redirect_to :controller=>"parks",:action =>"show"
end
In the log
Started POST "/home/next" for 127.0.0.1 at 2011-10-21 12:16:37 -0700
Processing by ParkController#show as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"7VVJ9GHcU4miYLCkSt91S674GGTScor86Tcsz7O25ik=", "city_id"=>"2", "commit"=>"continue"}
Rendered park/show.html.erb within layouts/header (2.5ms)
Completed 500 Internal Server Error in 7ms
Awww damn Im an idiot didnt see it in the beginning. You wrote
#city=City.find(params[:cities])
But it should be
#city=City.find(params[:city_id])
You wrote
<%= collection_select(nil,:city_id, City.all, :id, :name ,:prompt=>"Select your city") %>
But you should write
<%= f.collection_select(:city_id, City.all, :id, :name ,:prompt=>"Select your city") %>
Like you did for the submit button! Actually you can also add this line to the forms target:
<%= params.inspect %>
to see which values are transfered in which hash.
Umm, maybe I am wrong (not an experienced Rails dev), but don't you have to just write
params[:city_id]
?