I'm currently trying to implement polymorphic comments within my app, but I'm running into problems with converting my partial form.
I was following this tutorial, step-by-step-guide-to-polymorphic-associations-in-rails, but it didn't go over this section.
Mainly, I have an Image that is commentable, and a partial at the bottom to allow users to comment on the Image.
However, when submitting the form, it can't find the #commentable object as params[:id] and params[:image_id] are both nil.
I'm having problems understanding how I'm supposed to pass this information, as the partial knows this information, but the controller does not.
// images/show.html.erb
<div class="container comment-form" >
<%= render 'comments/form', comment: #image.comments.build %>
</div>
// comments/_form.html.erb
<%= bootstrap_form_for(comment) do |f| %>
<%= f.text_area :message, :hide_label => true, :placeholder => 'Add a comment' %>
<%= f.submit 'Reply', :class=> 'btn btn-default pull-right' %>
<% end %>
// comments_controller.rb
def create
#commentable = find_commentable
#comment = #commentable.comments.build(comment_params) <<<<<
respond_to do |format|
if #comment.save
format.html { redirect_to (comment_path #comment), notice: 'Comment was successfully created.' }
format.json { render :show, status: :created, location: #comment }
else
format.html { render :new }
format.json { render json: #comment.errors, status: :unprocessable_entity }
end
end
end
Error on #comment = #commentable.comments.build(comment_params)
undefined methodcomments' for nil:NilClass`
I also noticed that there is no id in the request parameters.
Parameters:
{"utf8"=>"✓", "authenticity_token"=>"xxxxxx", "comment"=>{"message"=>"nice photo"}, "commit"=>"Reply"}
Thanks for your help.
When you pass a record to a form builder rails uses the polymorphic route helpers* to lookup the url for the action attribute.
To route to a nested resource you need to pass the parent and child(ren) in an array:
bootstrap_form_for([#commentable, #comment])
# or
bootstrap_form_for([#comment.commentable, #comment])
This would give the path /images/:image_id/comments for a new record and /images/:image_id/comments/:id if it has been persisted.
You are attempting to build your comment twice. Once in the show.html, with comment: #image.comments.build and then again in your create method with #comment = #commentable.comments.build(comment_params) <<<<<
The tutorial you linked to included the private method below. If your goal is to create a comment that belongs to your Image object, the method below would look for a param with your image_id, and would return Image.find(params[:image_id])
def find_commentable
params.each do |name, value|
if name =~ /(.+)_id$/
return $1.classify.constantize.find(value)
end
end
nil
end
You could change your show.html to pass in your image_id as a hidden param with:
<div class="container comment-form" >
<%= render 'comments/form', image_id: #image.id %>
</div>
Related
I am trying to create a nested resource so that products can have notes associated with them. I have set up the associations within the model etc, but when I try to use the form to create a new note, I get the following error:
NoMethodError in Notes#create
Showing /Users/myusername/myapp/app/views/notes/_form.html.erb where line #2 raised:
undefined method `notes_path' for #<#<Class:0x00007fb3630b1ad0>:0x00007fb361eab868>
This is the line it is referring to:
<%= simple_form_for [#product, #note] do |f| %>
This are the new & create actions in the notes controller:
def new
#product = Product.find(params[:product_id])
#note = #product.notes.build
end
def create
#note = Note.new(product: #product)
respond_to do |format|
if #note.save
format.html { redirect_to product_notes, notice: 'Note was successfully created.' }
else
flash.now[:error] = "It doesnt work"
render 'new'
end
end
end
and the form partial:
<%= simple_form_for [#product, #note] do |f| %>
<%= f.error_notification %>
<%= f.error_notification message: f.object.errors[:base].to_sentence if f.object.errors[:base].present? %>
<div class="form-inputs">
<%= f.input :content %>
<%= f.input :author %>
<%= f.check_box :visible %>
</div>
<div class="form-actions">
<%= f.button :submit %>
</div>
<% end %>
I am going round in circles with making changes, and cannot seem to find any documentation on nested resources that isn't deprecated. Can anybody assist, please?
Edited to add:
I changed my controller action to something based on PGill's answer and can now get the page to load without an action controller error. However, it now re-renders the new note form, with errors saying that the form fields cannot be blank. They were not blank when I submitted them - what's happening to cause this?
Updated controller action:
def create
#product = Product.find(params[:product_id])
#note = #product.notes.new
respond_to do |format|
if #note.save
format.html { redirect_to product_notes_path(#product), notice: 'Note was successfully created.' }
else
format.html { render :new, notice: 'Note failed to be created.' }
end
end
end
When I was previously getting errors, it had this as the request parameters, so they are getting passed?
Parameters:
{"utf8"=>"✓",
"authenticity_token"=>"lotsofletters",
"note"=>{"content"=>"test", "author"=>"test", "visible"=>"0"},
"commit"=>"Create Note",
"product_id"=>"1"}
Referring to your edit; of course you should get empty fields errors because you are creating a new object #note without providing any attributes for it:
#note = #product.notes.new
it should be like
#note = #product.notes.build(params[:note])
also take care to provide a sanitizer for note in notes controller :
private
def note_params
params.require(:note).permit(:content, :author, :visible, :product_id)
end
so your code in create will look like:
def create
#product = Product.find(params[:product_id])
#note = #product.notes.build(note_params)
respond_to do |format|
if #note.save
format.html { redirect_to product_notes_path(#product), notice: 'Note was successfully created.' }
else
flash.now[:error] = "It doesnt work"
render 'new'
end
end
end
private
def note_params
params.require(:note).permit(:content, :author, :visible, :product_id)
end
#product is nil in create
Your form is failing validations and rendering new
update the create action to
def create
#product = Product.find(params[:product_id])
#note = #product.notes.new
respond_to do |format|
if #note.save
format.html { redirect_to product_notes_path(#product), notice: 'Note was successfully created.' }
else
flash.now[:error] = "It doesnt work"
render 'new'
end
end
end
redirect_to should be product_notes_path(#product) notes#index
I m using hidden field in my app to add user_id to my database "Camping". I have associations "User" has many campings and "Camping" belongs_to "user".
When I run firebug or something like this, I can modify user_id value of this field. If any user puts his ID, I can modify object to other user... I want to avoid this !
My code
<%= f.hidden_field :user_id, :value => current_user.id %>
This code, is necessary because I allow only user to edit / updated / create object if they have user_id == current_user.id.
How to fix this security problem ?
By the way, I m using devise.
Edit with full code
My _form.html.erb
<%= form_for(camping) do |f| %>
<% if camping.errors.any? %>
<div id="error_explanation">
<h2><%= pluralize(camping.errors.count, "error") %> prohibited this camping from being saved:</h2>
<ul>
<% camping.errors.full_messages.each do |message| %>
<li><%= message %></li>
<% end %>
</ul>
</div>
<% end %>
<%= f.hidden_field :user_id, :value => current_user.id %>
<div class="form-group">
<label for="name">Nom du camping</label>
<%= f.text_field :name, autofocus: true, class:"form-control", id:"name", :required => true%>
</div>
<div class="actions">
<%= f.submit "Enregistrer", class:"btn btn-success" %>
</div>
<% end %>
my controller
def new
#camping = Camping.new
#campings = Camping.all
end
def edit
end
def create
#camping = Camping.new(camping_params)
respond_to do |format|
if #camping.save
format.html { redirect_to #camping, notice: 'Camping was successfully created.' }
format.json { render :show, status: :created, location: #camping }
else
format.html { render :new }
format.json { render json: #camping.errors, status: :unprocessable_entity }
end
end
end
def update
#camping = Camping.find(params[:id])
respond_to do |format|
if #camping.update(camping_params)
format.html { redirect_to #camping, notice: 'Camping was successfully updated.' }
format.json { render :show, status: :ok, location: #camping }
else
format.html { render :edit }
format.json { render json: #camping.errors, status: :unprocessable_entity }
end
end
end
my edit.html.erb
<div class="containershow">
<h1>Editing Camping</h1>
<%= render 'form', camping: #camping %>
<%= link_to 'Show', #camping %> |
<%= link_to 'Back', campings_path %>
</div>
my new.html.erb
<h1>New Camping</h1>
<%= render 'form', camping: #camping %>
<%= link_to 'Back', campings_path %>
Edit solution ?
User can create and update his camping. I delete hidden_field
def create
# #camping = Camping.new(camping_params)
#camping = Camping.new((camping_params).merge(:user_id => current_user.id))
respond_to do |format|
if #camping.save
format.html { redirect_to #camping, notice: 'Camping was successfully created.' }
format.json { render :show, status: :created, location: #camping }
else
format.html { render :new }
format.json { render json: #camping.errors, status: :unprocessable_entity }
end
end
end
In Devise, the current user object is in current_user, available to your controllers. When saving the model, make sure to fill the user id field from that object, and not user input in the update action of your controller. Note that the edit action does not matter, that just renders the edit page, the actual update happens in update (if you follow the default conventions). Of course if you don't want users to even see other users' objects, you also need access control in other controller actions like edit as well, but that (implementing access control in a multi-tenant Rails application) is a different and much broader question.
More generally, be aware that anything that comes from a request can very easily be forged by a user. Always implement security server-side and do not trust user input!
Edit (seeing your code)
To prevent users updating others' Campings, you need to check in update after getting the #camping object (the second line) whether that's a camping object that your logged on user (current_user.id) is supposed to be able to edit.
The same way, if you want to prevent users from creating Campings for other users, you need to make sure in create that user_id will be set to the current user, something like #camping.user_id=current_user.id.
Similarly, if you want to prevent having a look at each other's Campings, you need to add checks to edit, show and pretty much all actions that return such objects.
There are gems like cancan and cancancan that may help with access control in Rails, they are worth a look!
Your Question is quite interesting but simple In the any HTML View Any one can change anything this will cause a security wise vulnerability as well.
To avoid these issues we need to authenticate it by two way You have to check the code by like It should be use by Controller not by view.
Suppose If you are creating any article of particular user
So To avoid it what you can do You can set the User ID in Session and make a Helper Method to find Current User always
So that you can find current user directly from controller and create article according to user
def Create
#article = current_user.articles.create(article_params)
end
This kind of Two way checking you can put up so that It will be safe.
To avoid the spend time on these work you can use gem directly like Devise
In my views, I have comments/_form.html.erb, and there is another controller views for post posts/show.html. I want to render comments/_form.html.erb in posts/show.html, which shows an individual post and comments associated with that post, and it is all set and working fine.
I want to provide ability to comment and render that partial below these comments so that we can make new comment on the same posts/show.html page instead of navigating to comments/new.html.erb page. I am using nested resources like:
resources :posts do
resources :comments
end
In my comments/new.html.erb, I am doing this:
<%= form_for([:post, #comment]) do |f| %>
....
<% end %>
How should I render it in my posts/show.html.erb page?
Javascript is the missing piece in your puzzle. Essentially you'll do 3 things.
Make sure your form is using js to submit (remote)
Make sure your controller responds to js input
Create a js.erb file that will append each new comment
Implementation notes:
I would probably do something like this:
Add the form to the view, and add an element that wraps around the comments, in this case, I used ul#comments
# app/views/posts/show.html.erb
<p>
<strong>Title:</strong>
<%= #post.title %>
</p>
<p>
<strong>Body:</strong>
<%= #post.body %>
</p>
<br/>
<ul id="comments">
<%= render #comments %>
</ul>
<%= form_for [#post, #new_comment], remote: true do |f| %>
<%= f.text_field :body %>
<%= f.submit %>
<%end%>
Add the js response in the controller
# app/controllers/comments_controller.rb
def create
#post = Post.find params[:post_id]
#comment = #post.comments.new(comment_params)
#new_comment = #post.comments.new(comment_params)
respond_to do |format|
if #comment.save
format.html { redirect_to [#post, #comment], notice: 'Comment was successfully created.' }
format.json { render :show, status: :created, location: #comment }
format.js
else
format.html { render :new }
format.json { render json: #comment.errors, status: :unprocessable_entity }
end
end
end
Then add a ujs file to make your changes on the fly (this does 2 things, adds a new comment and empties the form).
# app/views/comments/create.js.erb
$('#comments').append("<%= escape_javascript(render partial: '/comments/comment', locals: { comment: #comment } ) %>");
$('form.new_comment').find("input#comment_body").val('');
Also to note::
I'm using #new_comment so there is no interference when you render a newly created comment
You'll need to add #new_comment in 2 places, first in your posts show action and also in your comments create action
I want to add some extra parameters (categories) when filling my standard form for Event model. They are not in my events table (I have table categories_events and hmbtm in both Events and Category models). Here is my code for _form :
<% #categories.each do |category| %>
<div class="field">
<%= check_box_tag(:category, category.id) %>
<%= label_tag( :category, "#{category.name}" ) %>
</div>
<div class="actions">
<%= f.submit %>
<% end %>
I'm passing categories in new action - it's simple Category.all
Here is my code in events controller
def new
#event = Event.new
#categories = Category.all
end
def create
#event = Event.new(event_params)
#category_id = Category.find(params[:category])
respond_to do |format|
if #event.save
format.html { redirect_to #event, notice: 'Event was successfully created.' }
format.json { render action: 'show', status: :created, location: #event }
else
format.html { render action: 'new' }
format.json { render json: #event.errors, status: :unprocessable_entity }
end
end
end
Later I want to put category_id and event_id into categories_events but I have NoMethodError
undefined method `category_id' for #<Event:0x374c268>
and #event.safe is the problem
Parameters look like this
{"utf8"=>"✓",
"authenticity_token"=>"stL+sdIhxttrk3KjkLJsuCXubjaDpNBbrLYtpjv8clw=",
"event"=>{"name"=>"asdsa",
"place"=>"asdas",
"description"=>"dsadsa"},
"commit"=>"Create Event",
"category"=>"2"}
I think that the problem is in too many parameters in new(event_params) but looking at brackets in parameters tells me that it shouldn't be a problem to make it acceptable for rails.
Error stacktrace:
http://pastebin.com/kQK1fni6
Updated event_params
def event_params
params.require(:event).permit(:name, :place, :description, :category_ids)
end
Adjust your check_box_tag to the following:
<%= check_box_tag("event[category_ids][]", category.id, #event.categories.include?(category)) %>
<%= label_tag("event[category_ids][]", category.name) %>
One more thing, you'll have to add category_ids to your whitelisted attributes.
To resolve Couldn't find Category without an ID
Replace
#category_id = Category.find(params[:category_ids])
with
#category_id = Category.find(params[:event][:category_ids])
If you check the params hash you'll see that due to the update in checkbox code(as suggested by H-man), category_ids would be part of params[:event] keys value.
I'm using rails 4.0.1
<%= form_for #event, :html => { :multipart => true} do |f| %>
<div class="field">
<%= f.label :title %><br>
<%= f.text_field :title %>
</div>
<div class="field">
<%= f.label :content %><br>
<%= f.text_area :content %>
</div>
<div class="field">
<%= f.label :place_id %><br>
<%= f.collection_select(:place_id, #places, :id, :title) %>
</div>
<div class="actions">
<%= f.submit %>
</div>
<% end %>
And I want to check for current_user.id and Place.user_id (it stores creator id). In Events cotroller i'm trying to use:
def create
#places = Place.all
#event = Event.new(event_params)
#event.user_id = current_user.id
#curplace = Place.find_by(id: params[:place_id])
#event.content = #curplace.id
respond_to do |format|
if #event.save
format.html { redirect_to #event, notice: 'Event was successfully created.' }
format.json { render action: 'show', status: :created, location: #event }
else
format.html { render action: 'new' }
format.json { render json: #event.errors, status: :unprocessable_entity }
end
end
end
But i got an error. I think i'm not getting this Place_id param right or anything else?
Further to the comment from Ankush Kataria, the form_for helper basically creates a form which combines all the params into a hash, as opposed to form_tag, which just makes the params independently
As you've discovered, this means your params will be accessed by:
#form_for
params[:variable][:param]
#form_tag
params[:param]
form_for
The reason why this is important is because if you're using the RESTful routes interface, you'll be able to create / edit / update a variety of records
form_for basically keeps consistency throughout this process, pre-populating your forms with the various values, and keeping your code DRY
To call a form_for helper, you have to define the #varaible the form will populate. This #variable needs to be an ActiveRecord object, and is why you have to build it in the new action before your form shows
form_tag
form_tag is much more independent of the form_for helper, doesn't require any #variable, and creates the params individually
You'd use a form_tag for the likes of a contact us form or similar
Your Code
Your form looks good, but your create action can be dried up:
def create
#places = Place.all
#event = Event.new(event_params)
respond_to do |format|
if #event.save
format.html { redirect_to #event, notice: 'Event was successfully created.' }
format.json { render action: 'show', status: :created, location: #event }
else
format.html { render action: 'new' }
format.json { render json: #event.errors, status: :unprocessable_entity }
end
end
end
private
def event_params
params.require(:event).permit(:title, :content).merge(user_id: current_user.id, place_id: params[:event][:place_id])
end
You are right that params[:place_id] isn't returning the value you expect. It only returns nil. To get the :place_id that's submitted by the form, you have to do this:
#curplace = Place.find(params[:event][:place_id])
Just replace the old line with the code above. It's because your form submits the data in the fields inside an :event key in the params hash since you're using the form_for helper method provided by Rails. That is its default behavior unless you change the 'name' attribute's value in the input fields.
Hope that helps!