Devise ignoring permitted parameters on Rails 4 - ruby-on-rails

I am trying to pass an additional parameter for my devise user model on Rails 4. Since it needs to be permitted I added a filter to my main application controller as below.
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
prepend_before_filter :add_allowed_devise_session_params, if: :devise_controller?
def add_allowed_devise_session_params
devise_parameter_sanitizer.for(:sign_up) { |u| u.permit("avatar") }
end
end
But when submitting for :sign_up I am still getting the error:
Unpermitted parameters: avatar
The parameters look like this:
Processing by RegistrationsController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"vp1ir2TJwZXwYGFtDc97bSf/dnXQQl1pksHVxdVTaWc=", "user"=>{"name"=>"stan#merkwelt5.com", "email"=>"stan#merkwelt5.com", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "avatar"=>#<ActionDispatch::Http::UploadedFile:0x007fa05762a918 #tempfile=#<File:/var/folders/8y/g14_rdxx31gb35dyjhltk4xc0000gn/T/RackMultipart20131219-7366-vf7of8>, #original_filename="instagram_logo.jpg", #content_type="image/jpeg", #headers="Content-Disposition: form-data; name=\"user[avatar]\"; filename=\"instagram_logo.jpg\"\r\nContent-Type: image/jpeg\r\n">}, "commit"=>"Sign up"}
I validated that the filter is actually called on :sign_up and its per the devise documentation:
https://github.com/plataformatec/devise#strong-parameters
What am I missing?

It turns out I overlooked that the devise controllers had to be updated. Didn't look there since the devise documentation points to ApplicationController.
class RegistrationsController < Devise::RegistrationsController
before_filter :update_sanitized_params, if: :devise_controller?
def update_sanitized_params
devise_parameter_sanitizer.for(:sign_up) {|u| u.permit(:avatar,:name, :email, :password, :password_confirmation)}
devise_parameter_sanitizer.for(:account_update) {|u| u.permit(:avatar,:name, :email, :password, :password_confirmation, :current_password)}
end
end

Related

Devise permitted parameters submission vs handling

This is a pattern often referred to
class ApplicationController < ActionController::Base
before_action :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up, keys: [:username])
end
end
However, the practical application is missing context. The example of the reaction of a rails app with devise installed:
Unpermitted parameters: :municipal_id, :regionminor_id, :regionmajor_id, :login_name, :kee, :virtual_qr_code.
Context: { controller: Users::RegistrationsController, action: create, request: #<ActionDispatch::Request:0x0000000110c0ca40>,
params: {"authenticity_token"=>"[FILTERED]", "user"=>{
"email"=>"kk#nie.mi", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "name_first"=>"k",
"name_last"=>"k",
"public_persona"=>"",
"nation_id"=>"19",
"idiom_id"=>"14",
"municipal_other"=>"Comabbio",
"sex_id"=>"85",
"date_of_birth"=>"",
"conditions_accepted"=>"0"}, "commit"=>"Sign up", "controller"=>"users/registrations", "action"=>"create"} }
Note that NONE of the parameters that are deemed 'unpermitted' are being submitted by the form. And the role of strong parameters is to avoid injection by outside parties of unwanted parameters.
The above "unpermitted" parameters are object attirbutes, but processed by the application. Is there a way to specify this - in the pure sense of the strong parameter - other than resort to an after_commit action?

rails - devise strong parameters is always unpermitted for registration

I want to permit :full_name parameter for my user model registration in devise, and I always getting Unpermitted parameter: :full_name as response for Users::RegistrationsController#create action
I have tried several ways as I show you next:
1. Application controller (option 1)
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
before_action :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
case params[:action]
when 'create'
devise_parameter_sanitizer.permit(:sign_up, keys: %i[full_name])
when 'update'
...
end
end
end
Result => Unpermitted parameter: :full_name
2. Registration controller (option 2)
class Users::RegistrationsController < Devise::RegistrationsController
before_action :configure_sign_up_params, only: :create
protected
def configure_sign_up_params
params.require(:user).permit(%i[full_name])
end
end
Result => Unpermitted parameter: :full_name
3. Registration controller (option 3)
class Users::RegistrationsController < Devise::RegistrationsController
before_action :configure_sign_up_params, only: :create
protected
def configure_sign_up_params
devise_parameter_sanitizer.permit(:sign_up, keys: %i[full_name ])
end
end
Result => Unpermitted parameter: :full_name
In my gemfile:
gem 'devise', '~> 4.8'
In my routes:
devise_controllers = {
confirmations: 'users/confirmations',
registrations: 'users/registrations',
invitations: 'users/invitations',
}
devise_for :users, controllers: devise_controllers
I have read devise strong params but to be honest I do not know what I am doing wrong.
Also I tried to debug in Users::RegistrationsController#create what is happening with:
def create
super do
binding.pry
end
end
but it skips the debugger breakpoint... do you have any idea what is going on?
Cheers!
Edit:
Following suggestion from JohnP, I only left :full_name in devise keys parametter sanitizer for sign_up
Also I removed a callback that is bypassing my debug breakpoint and now I can stop with pry in create action
Generally, you write strong params for a specific controller, not in your ApplicationController, because the permitted conditions will be different for each model. When using devise_parameter_sanitizer, you only need to include the extra fields you're adding - this isn't setting up your strong params from scratch, just adding keys to the default Devise list.
So, you should find that this is all you need in your Users::RegistrationsController.
def configure_sign_up_params
devise_parameter_sanitizer.permit(:sign_up, keys: [:full_name])
end
(BTW, ensure you refer to the parameter correctly, as params[:user][:full_name].)
(Oh, and if you want to do debugging, I'd suggest installing the byebug gem. You just add an extra line byebug where you want to have a breakpoint.)

Why is devise sanitizer returning an empty hash

I am writing an API-only Rails 5 application and using the devise-jwt (and devise) gem for user authentication. I am trying to configure strong parameters in my custom registrations_controller. In application_controller.rb:
before_action :configure_permitted_parameters, if: :devise_controller?
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up, keys: [:first_name, :last_name, :username, :email])
end
And in registrations_controller.rb:
def create
build_resource(sign_up_params)
resource.save
#json response defined in application_controller.rb
render_resource(resource)
end
This is the console's output when I make a POST request to the API via Postman:
Parameters: {"first_name"=>"john", "last_name"=>"stones", "username"=>"johnstones", "email"=>"john#stones.com"}
And this is the output from printing params to the console:
<ActionController::Parameters {"first_name"=>"john", "last_name"=>"stones", "username"=>"johnstones", "email"=>"john#stones.com", "controller"=>"registrations", "action"=>"create"} permitted: false>
Despite the above when I do devise_parameter_sanitizer.sanitize(:sign_up) I get an empty hash and my aforementioned POST throws the validation errors I set for having blank fields. Please help me figure out what I'm missing, thank you.
(Rails 5.2/Devise 4.2)
Param user is missing in your params hash:
{"user": {"first_name"=>"john", "last_name"=>"stones", "username"=>"johnstones", "email"=>"john#stones.com"} }

Getting "Filter chain halted as :validate_account_update_params rendered or redirected" when trying to update user

I am using ng-token-auth and devise_token_auth for authentication. When I am trying to update user using
$auth.updateAccount
it's showing me
Unpermitted parameters: credentials, registration
Filter chain halted as :validate_account_update_params rendered or redirected
I have included the following in application_controller.rb
before_action :configure_permitted_parameters, if: :devise_controller?
private
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) << :name
devise_parameter_sanitizer.for(:account_update) << :name << :credentials
end
Also, credentials field is serialized as an Array in the User model
class User < ActiveRecord::Base
serialize :credentials, Array
end
I ran into the same issue and finally found a solution. For me, the problem was that the parent filter :validate_account_update_params was being called before the child :configure_permitted_parameters. This is apparently new behavior as of at least Rails 4.2 (and possibly before). Adding this in the child fixed it:
prepend_before_action :configure_permitted_params

Devise 3.0 after bundle update and registration stop working

I made bundle update for my project and devise stop working on it. Right now it says that email cant be blank - but it isnt. Can somebody tell my what is wrong and what change in devise 3.0?
Output in console for devise is:
Processing by Devise::RegistrationsController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"L5182qPo2YonLhXfMbCXxXtvEHfM8YZMYr74pnPN8K0=", "user"=>{"name"=>"user_10", "email"=>"user_10#email.com", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"}, "commit"=>"Sign up"}
Unpermitted parameters: name, email
before_filter :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:name, :email, :password, :password_confirmation) }
end
For application_controller and devise working

Resources