Devise strong parameters not working? - ruby-on-rails

I have being following all the instructions from Devise github's but on sign up it is giving warning
WARNING: Can't mass-assign protected attributes for User: email, password, password_confirmation
here are my code snippets
RegistrationController
class RegistrationController < Devise::RegistrationsController
private
def account_update_params
params.require(:user).permit( :email, :password, :password_confirmation, :current_password)
end
def sign_up_params
params.require(:user).permit(:email, :password, :password_confirmation)
end
end

Related

Devise not handling sanitized parameters

The following console information
Started POST "/users" for
Processing by RegistrationsController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"==", "user"=>{[...], "email_contact"=>"5#mail.ne", "cap"=>"", "client_retail"=>"true"}, "commit"=>"Register"}
Unpermitted parameters: :email_contact, :client_retail
is baffling, as the two unpermitted parameters (they were created subsequently to the original version, but the db was dropped, recreated and migrated) are stubbornly being ignored (while the user is getting created.
UsersController does include these attributes
def user_params
params.require(:user).permit(:email, :password, :password_confirmation, :remember_me, [...] :internal, :client_retail, :email_contact)
end
as does RegistrationsController:
private
def sign_up_params
params.require(:user).permit(:email, :password, :password_confirmation, :remember_me, [...] :internal, :client_retail, :email_contact)
end
def account_update_params
params.require(:user).permit(:email, :password, :password_confirmation, :remember_me, [...] :internal, :client_retail, :email_contact)
end
In addition, the ApplicationController invokes the sanitizer
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up, keys: [:email, :password, :password_confirmation, :nome, :cognome, :email_contact, :client_retail])
devise_parameter_sanitizer.permit(:sign_in, keys: [:login, :password, :password_confirmation])
devise_parameter_sanitizer.permit(:account_update, keys: [:email, :password, :password_confirmation, :current_password])
end
Oddly, those two attributes will get processed under the update action, although not listed in the sanitizer.
How can these parameters be allowed?
Rename your controller to Users::RegistrationsController < Devise::RegistrationsController or RegistrationsController < Devise::RegistrationsController depending on where your custom RegistrationsController is located.

Devise Issue - Allow users to edit without password

I'm using a user scope controller generated by devise to pass additional attributes.
class Users::RegistrationsController < Devise::RegistrationsController
before_action :sign_up_params, only: [:create]
before_action :account_update_params, only: [:update
protected
def sign_up_params
devise_parameter_sanitizer.permit(:sign_up, keys: [:first_name, :last_name, :cpf])
end
def account_update_params
devise_parameter_sanitizer.permit(:account_update, keys: [:first_name, :last_name, :cpf, :birth_date, :phone, :gender])
end
def update_resource(resource, params)
resource.update_without_password(params)
end
end
The routes
devise_for :users, controllers: {registrations: 'users/registrations}
Everything was working until include the update_resource(resource, params) method to the controller and remove the current_password field at the view, as suggested https://github.com/plataformatec/devise/wiki/How-To:-Allow-users-to-edit-their-account-without-providing-a-password
After this change I can edit every additional fields (first_name, last_name...etc) except the password. The password change doesn't persists. Any idea?
Rails version: 5.0.0.1
Devise version: 4.2.0
In the account_update_params method you need to add your password and password_confirmation.
def account_update_params
devise_parameter_sanitizer.permit(:account_update, keys: [:first_name, :last_name, :cpf, :birth_date, :phone, :gender, :password, :password_confirmation])
end

Add extra params to user from devise in ruby on rails [duplicate]

This question already has answers here:
Add Custom Field/Column to Devise with Rails 4
(4 answers)
Closed 6 years ago.
I want to add a property name in the user model. I ran the migration command to add the column to the database and that worked. Adding the property to user itself worked as well but it isn't saved in the db.
How can I add the property "name" to the required params of the sign_up and account_update of RegistrationController?
This is my user model
class User < ActiveRecord::Base
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
attr_accessor :name
end
I tried adding the required params to the methodes like this in the RegistrationController
class Users::RegistrationsController < Devise::RegistrationsController
def sign_up_params
params.require(:user).permit(:name,:email, :password, :password_confirmation)
end
def account_update_params
params.require(:user).permit(:name, :email, :password, :password_confirmation, :current_password)
end
end
In the routings i added the line
devise_for :users, controllers: { registrations: 'users/registrations' }
But the name of the user still isn't saved in the database.
Add this to your ApplicationController to configure signup signin & account_update params.
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:name,:email, :password, :password_confirmation) }
devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:login, :username, :email, :password, :remember_me) }
devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:name, :username, :anonymous, :email, :password, :password_confirmation,:reset_password_token) }
end
And also add before_filter to ApplicationController like :
before_filter :configure_permitted_parameters, if: :devise_controller?
Please check Devise Parameter Sanitization
You can try this:
class Users::RegistrationsController < Devise::RegistrationsController
def sign_up_params
devise_parameter_sanitizer.for(:sign_up).push(:name)
end
def account_update_params
devise_parameter_sanitizer.for(:account_update).push(:name, :email, :password, :password_confirmation, :current_password)
end
end

Devise not saving parameters that are already sanitized in App Controller Rails 4

My registrations are working properly, I have 3 custom fields: name, avatar, avatar_cache.
Only the :name custom field is giving me a:
Unpermitted parameters: name in console.
I already sanitized strong parameters in Application Controller and the avatar / avatar_cache are saving correctly. Am I missing something?
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:name, :avatar, :avatar_cache, :email, :password, :password_confirmation) }
end
def configure_permitted_parameters
devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:name, :avatar, :avatar_cache, :email, :password, :current_password, :password_confirmation) }
end
Currently, you have redefined the method configure_permitted_parameters, which is why Ruby is picking the latest method definition i.e., the one which whitelists attributes for account_update. So, when you try to sign_up with custom attribute name, you would receive
Unpermitted parameters: name warning
as because of the overwriting the method configure_permitted_parameters, devise has no idea about the custom attributes that should have been whitelisted for sign_up
Your configure_permitted_parameters method should look like:
class ApplicationController < ActionController::Base
before_filter :configure_permitted_parameters, if: :devise_controller?
## ...
protected
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:name, :avatar, :avatar_cache, :email, :password, :password_confirmation) }
devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:name, :avatar, :avatar_cache, :email, :password, :current_password, :password_confirmation) }
end
end

Saving custom fields in devise User model in rails 4

I made a devise User model and added additional fields to it. When I create and account everything works fine, only with email, pw and pw conf.
I then want to allow the user to go to edit page and fill in the optional additional fields.
But, when they submit, everything is saved as nil.
class RegistrationsController < Devise::RegistrationsController
before_action :configure_permitted_parameters, if: :devise_controller?
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_in){ |u| u.permit(:email, :password) }
devise_parameter_sanitizer.for(:sign_up){ |u| u.permit(:name, :username, :about, :email, :password, :password_confirmation)}
devise_parameter_sanitizer.for(:account_update){ |u| u.permit(:name, :username, :about, :email, :password, :password_confirmation) }
end
def update
self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key)
if resource.update_with_password(user_params)
if is_navigational_format?
flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ? :update_needs_confirmation : :updated
set_flash_message :notice, flash_key
end
sign_in resource_name, resource, :bypass => true
respond_with resource, :location => after_update_path_for(resource)
else
clean_up_passwords resource
respond_with resource
end
end
def user_params
params.require(:user).permit(:email, :password, :current_password, :password_confirmation, :name, :username, :about)
end
end
I get this output in the console,
ActiveRecord::SchemaMigration Load (0.1ms) SELECT "schema_migrations".* FROM "schema_migrations"
Processing by Devise::RegistrationsController#update as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"EG8FtCTBohuG2uwUvIqmY7KTsmYY1nMAXqTfc0Li+eQ=",
"user"=>{"email"=>"a#a.com", "name"=>"Aaron", "username"=>"", "about"=>"",
"password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "current_password"=>"[FILTERED]"}, "commit"=>"Update"}
User Load (2.2ms) SELECT "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1 [["id", 1]]
Unpermitted parameters: name, username, about
But nothing is saved in the database when I check in the console (with User.last). I am stuck, and have looked and have no idea what is wrong...
In Rails4 we have strong parameters so please
Add following line to your application_controller.rb
before_filter :configure_devise_params, if: :devise_controller?
def configure_devise_params
devise_parameter_sanitizer.for(:sign_up) do |u|
u.permit(:first_name, :last_name, :gender, :email, :password, :password_confirmation)
end
end
After working on something similar to this, I settled on using Application Controller, then afterward found that the Devise Documentation is fairly straightforward for this in their strong parameters section and gives an alternative to using Application Controller. https://github.com/plataformatec/devise#strong-parameters
Below is the approach with Application Controller which worked for me.
class ApplicationController < ActionController::Base
before_filter :configure_permitted_parameters, if: :devise_controller?
private
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up){ |u| u.permit(:name, :username, :about, :email, :password, :password_confirmation)}
devise_parameter_sanitizer.for(:account_update){ |u| u.permit(:name, :username, :about, :email, :password, :password_confirmation) }
end
end
This should work the same and it directly overwrites methods in Devise::RegistrationController.
class Users::RegistrationsController < Devise::RegistrationsController
private
def configure_sign_up_params
devise_parameter_sanitizer.for(:sign_up){ |u| u.permit(:name, :username, :about, :email, :password, :password_confirmation)}
end
def configure_account_update_params
devise_parameter_sanitizer.for(:account_update){ |u| u.permit(:name, :username, :about, :email, :password, :password_confirmation) }
end
end
First produce new field.
for reference
http://guides.rubyonrails.org/migrations.html
Do you have add your new fields in user controller parameter?
def user_params
params.require(:user).permit(:email, :password, :password_confirmation)
end
def sign_up_params
params.require(:user).permit(:email, :password, :password_confirmation)
end
In the application controller
before_filter :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:email, :password, :password_confirmation)}
devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:email, :password, :password_confirmation)}
end
In your registration form that override devise add this
class Users::RegistrationsController < Devise::RegistrationsController
skip_before_filter :verify_authenticity_token, :only => [:ipn_notification]
def sign_up_params
params.require(:user).permit(:email, :password, :password_confirmation)
end
After that add your new fields in all views _form,show,edit,index.
In Rails 4.2, this is how I did.
I have User Model on which devise is applied.
Use this command "rails generate devise:controllers users" to generate custom controllers.
I have added "username" name attribute to my User Model
In my controller
class Users::RegistrationsController < Devise::RegistrationsController
before_filter :configure_sign_up_params, only: [:create]
before_filter :configure_account_update_params, only: [:update]
#rest of code as generated
protected
# If you have extra params to permit, append them to the sanitizer.
def configure_sign_up_params
devise_parameter_sanitizer.for(:sign_up) << :username
end
# If you have extra params to permit, append them to the sanitizer.
def configure_account_update_params
devise_parameter_sanitizer.for(:account_update) << :username
end
In Routes
devise_for :users, controllers: {registrations: "users/registrations"}

Resources