I am using Devise to manage users/registration. I am having a two=-fold issue:
If a mistake is made when filling the user registration form, for example one of the required fields is missing, when the form is re-displayed, the email field is missing (the other fields information is retained).
I have an additional field in the form that's not in the users table. This field is called code. When there's an error (described in #1 above), and the form is re-displayed, information for the code field is not retained either. If I look at the parameters in the log file, this field is a separate parameter (not part of the user parameter).
Suggestions?
To get the info to re-display in the form just add params[:field] to that field. An example would be <%= text_field_tag :email, params[:email] %>.
You may have already figured this about by now but thought I would answer it anyways. If you want help on the other part just post your code :)
Related
We are using ActiveAdmin currently as our main CMS.
For the User model, I want to add a 'Change Password' button which takes you to a form with two fields: 'password' and 'password confirmation'. The form should submit and update only those two fields for the given user. I want to do this all the while keeping the standard form for editing all other attributes.
Is this even possible with ActiveAdmin's DSL, or do I have to get a bit hacky? Their documentation hasn't been very helpful.
Did you check out ActiveAdmin: how to leave user password unchanged? - that should cover the standard form. The change password action can then be implemented with a member action.
How can we add custom form fields in rails 4.
For ex:
User (model)
username
email
hashed_password
Now in the form field for password I would like to have fields like password and password confirm.
But due to the introduction of strong parameters in rails 4, I cannot simply send those fields .
It throws error.
It used to be a piece of cake in prior versions of rails i.e in the model we would add our custom form fields to attr_accessor and we could play with them.
NOTE: I tried this thing few weeks ago and it did'nt work, and I don't remember the exact error but was something like 'no method password on user'.
I know it is very stupid of me to not provide you with the exact error messages.
My apologies, can't help I deleted the application.
I was following this tutorial (it's for rails 3) http://www.sitepoint.com/rails-userpassword-authentication-from-scratch-part-i/
Check out How is attr_accessible used in Rails 4? for using strong parameters in rails 4
Protecting attributes is now done in the Controller.
I'm using attr_accessor in model in Rails 4.
In forms I have
<%= text_field_tag 'param_name' %>
And in controller
#model.param_name = params[:param_name]
It works ok and can solve your problem, I think. BUT! I'm not sure it is secure to use it this way. If someone can explain, why it is not appropriate for security reasons and suggest a better way, I'll appreciate it (as the author, I think).
In Ruby on Rails, it's very easy to update a model from an HTML form. Usually you can just create a form_for with the model, and the fields in there will be updated when the user hits the submit button.
Say though that a malicious user wants to update their 'salary' without going through the proper channels. couldn't they just inject a field by the name of 'salary' when updating their email address (for example) and set their pay to basically be whatever they want? how do i specify which fields can be modified and which can't to prevent this?
Seeing things like
#user.update_attributes(params[:user])
seems scary. They could update anything. I understand the use of attr_accessible, but that's only relevant for mass updates, isn't it?
You can restrict what fields can be mass assigned using:
attr_accessible :name, :address # no :salary
I am a little confused with forms in RoR.
I have a contacts page with a corresponding method in my controller. What I am trying to do is have a form so people can leave a message. I will then be emailing that message to myself.
I have the form and everything created. However, I am a little confused on how I would actually get the data from the form once they hit the submit button. would it just be accessible through my contacts method in my controller using params[:message]?
Also, what if I had multiple forms on one page? Would I just be doing params[:message1], params[:message2], etc., in the contacts method in my controller?
Take a look at this answer for details on what exactly the params hash is. When you reference params[:message], this implies that you are POST'ing to your controller action with, say, "message[subject]=abc123", which Rails helpfully turns into a hash with a key like: params[:message]['subject'].
If you're looking to send an email, check out mail_form, which simplifies creating a non-database-backed model that get's turned into an email.
Lastly, about having multiple forms on a page: each form POST's to its action and includes all of the form elements that are children of that form in the DOM. So, only the children of that message will actually be included in the params[:message] hash. You can use fields_for to have multiple models within a single form.
Specifically, I'm using Devise with Typus. But, I think my misunderstanding resides in my knowledge of Devise.
I'm trying to achieve the functionality of when you want to change an important model via form, you have to provide your current password to confirm you can change it, a la google.
Right now, I can log in and change any of the fields of my User model. Including the password, without having to confirm my password prior. Not good. So, I've added current_password to the form. But that didn't do anything. Then I tried to validate presence on current_password. Then it doesn't seem to accept any value for it.
Google didn't help me. All of the relevant posts were about removing current_password instead of confirming it. Which makes me think I'm misunderstanding the use of current_password.
Anyone care to share some insight? Thanks.
You should add the password field to the form, and then in your controller's action you can validate the password using:
user.valid_password?(params[:user][:password])
Note that probably you should change params[:user][:password] to the the name of the param for your password's field in the form (perhaps just params[:password]).
Hope it helps.
Actually, devise has a builtin method for this:
user.update_with_password(params, *options) you can read the rdoc here.
Update record attributes when :current_password matches, otherwise returns error on :current_password. It also automatically rejects :password and :password_confirmation if they are blank.