I made a devise User model and added additional fields to it. When I create and account everything works fine, only with email, pw and pw conf.
I then want to allow the user to go to edit page and fill in the optional additional fields.
But, when they submit, everything is saved as nil.
class RegistrationsController < Devise::RegistrationsController
before_action :configure_permitted_parameters, if: :devise_controller?
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_in){ |u| u.permit(:email, :password) }
devise_parameter_sanitizer.for(:sign_up){ |u| u.permit(:name, :username, :about, :email, :password, :password_confirmation)}
devise_parameter_sanitizer.for(:account_update){ |u| u.permit(:name, :username, :about, :email, :password, :password_confirmation) }
end
def update
self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key)
if resource.update_with_password(user_params)
if is_navigational_format?
flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ? :update_needs_confirmation : :updated
set_flash_message :notice, flash_key
end
sign_in resource_name, resource, :bypass => true
respond_with resource, :location => after_update_path_for(resource)
else
clean_up_passwords resource
respond_with resource
end
end
def user_params
params.require(:user).permit(:email, :password, :current_password, :password_confirmation, :name, :username, :about)
end
end
I get this output in the console,
ActiveRecord::SchemaMigration Load (0.1ms) SELECT "schema_migrations".* FROM "schema_migrations"
Processing by Devise::RegistrationsController#update as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"EG8FtCTBohuG2uwUvIqmY7KTsmYY1nMAXqTfc0Li+eQ=",
"user"=>{"email"=>"a#a.com", "name"=>"Aaron", "username"=>"", "about"=>"",
"password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "current_password"=>"[FILTERED]"}, "commit"=>"Update"}
User Load (2.2ms) SELECT "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1 [["id", 1]]
Unpermitted parameters: name, username, about
But nothing is saved in the database when I check in the console (with User.last). I am stuck, and have looked and have no idea what is wrong...
In Rails4 we have strong parameters so please
Add following line to your application_controller.rb
before_filter :configure_devise_params, if: :devise_controller?
def configure_devise_params
devise_parameter_sanitizer.for(:sign_up) do |u|
u.permit(:first_name, :last_name, :gender, :email, :password, :password_confirmation)
end
end
After working on something similar to this, I settled on using Application Controller, then afterward found that the Devise Documentation is fairly straightforward for this in their strong parameters section and gives an alternative to using Application Controller. https://github.com/plataformatec/devise#strong-parameters
Below is the approach with Application Controller which worked for me.
class ApplicationController < ActionController::Base
before_filter :configure_permitted_parameters, if: :devise_controller?
private
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up){ |u| u.permit(:name, :username, :about, :email, :password, :password_confirmation)}
devise_parameter_sanitizer.for(:account_update){ |u| u.permit(:name, :username, :about, :email, :password, :password_confirmation) }
end
end
This should work the same and it directly overwrites methods in Devise::RegistrationController.
class Users::RegistrationsController < Devise::RegistrationsController
private
def configure_sign_up_params
devise_parameter_sanitizer.for(:sign_up){ |u| u.permit(:name, :username, :about, :email, :password, :password_confirmation)}
end
def configure_account_update_params
devise_parameter_sanitizer.for(:account_update){ |u| u.permit(:name, :username, :about, :email, :password, :password_confirmation) }
end
end
First produce new field.
for reference
http://guides.rubyonrails.org/migrations.html
Do you have add your new fields in user controller parameter?
def user_params
params.require(:user).permit(:email, :password, :password_confirmation)
end
def sign_up_params
params.require(:user).permit(:email, :password, :password_confirmation)
end
In the application controller
before_filter :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:email, :password, :password_confirmation)}
devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:email, :password, :password_confirmation)}
end
In your registration form that override devise add this
class Users::RegistrationsController < Devise::RegistrationsController
skip_before_filter :verify_authenticity_token, :only => [:ipn_notification]
def sign_up_params
params.require(:user).permit(:email, :password, :password_confirmation)
end
After that add your new fields in all views _form,show,edit,index.
In Rails 4.2, this is how I did.
I have User Model on which devise is applied.
Use this command "rails generate devise:controllers users" to generate custom controllers.
I have added "username" name attribute to my User Model
In my controller
class Users::RegistrationsController < Devise::RegistrationsController
before_filter :configure_sign_up_params, only: [:create]
before_filter :configure_account_update_params, only: [:update]
#rest of code as generated
protected
# If you have extra params to permit, append them to the sanitizer.
def configure_sign_up_params
devise_parameter_sanitizer.for(:sign_up) << :username
end
# If you have extra params to permit, append them to the sanitizer.
def configure_account_update_params
devise_parameter_sanitizer.for(:account_update) << :username
end
In Routes
devise_for :users, controllers: {registrations: "users/registrations"}
Related
The following console information
Started POST "/users" for
Processing by RegistrationsController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"==", "user"=>{[...], "email_contact"=>"5#mail.ne", "cap"=>"", "client_retail"=>"true"}, "commit"=>"Register"}
Unpermitted parameters: :email_contact, :client_retail
is baffling, as the two unpermitted parameters (they were created subsequently to the original version, but the db was dropped, recreated and migrated) are stubbornly being ignored (while the user is getting created.
UsersController does include these attributes
def user_params
params.require(:user).permit(:email, :password, :password_confirmation, :remember_me, [...] :internal, :client_retail, :email_contact)
end
as does RegistrationsController:
private
def sign_up_params
params.require(:user).permit(:email, :password, :password_confirmation, :remember_me, [...] :internal, :client_retail, :email_contact)
end
def account_update_params
params.require(:user).permit(:email, :password, :password_confirmation, :remember_me, [...] :internal, :client_retail, :email_contact)
end
In addition, the ApplicationController invokes the sanitizer
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up, keys: [:email, :password, :password_confirmation, :nome, :cognome, :email_contact, :client_retail])
devise_parameter_sanitizer.permit(:sign_in, keys: [:login, :password, :password_confirmation])
devise_parameter_sanitizer.permit(:account_update, keys: [:email, :password, :password_confirmation, :current_password])
end
Oddly, those two attributes will get processed under the update action, although not listed in the sanitizer.
How can these parameters be allowed?
Rename your controller to Users::RegistrationsController < Devise::RegistrationsController or RegistrationsController < Devise::RegistrationsController depending on where your custom RegistrationsController is located.
I'm unable to permit additional parameters in invite#accept. I've setup everything and here's a controller.
But in the method accept_resource there're still only 3 old parameters accepted, other didn't come through, although they present on a form.
class MyInvitationsController < Devise::InvitationsController
before_filter :configure_permitted_parameters, if: :devise_controller?
before_filter :update_sanitized_params, only: [:edit, :update]
def edit
puts "edit...."
super
end
private
def accept_resource
puts "accept_resource..."
resource = resource_class.accept_invitation!(update_resource_params)
# but it still permits only :password, :password_confirmation and :invitation_token
resource
end
protected
def configure_permitted_parameters
puts "configure_permitted_parameters..."
devise_parameter_sanitizer.permit(:sign_up, keys: [:aaa, :bbb, :ccc, :password, :password_confirmation,
:invitation_token])
end
def update_sanitized_params
puts "update_sanitized_params..."
devise_parameter_sanitizer.permit(:sign_up, keys: [:aaa, :bbb, :ccc, :password, :password_confirmation,
:invitation_token])
How to fix that?
I use devise 4.2 and devise_invitable 1.6
Try remove
if: :devise_controller?
in your before_filter, because your are not in devise controller.
I am trying to implement invitation on existing users in my app, using Devise Invitable.
At first glance this fails, because Devise Invitable is best used on new users - i.e. non-registered.
But this is what my User::InvitationsController looks like (truncated for brevity):
class Users::InvitationsController < Devise::InvitationsController
include ApplicationHelper
before_filter :configure_permitted_parameters, if: :devise_controller?
before_filter :update_sanitized_params, only: :update
# PUT /resource/invitation
def create
invited_user = User.where(email: params[:user][:email])
if !invited_user.empty?
invitation_token = Devise.token_generator.digest(resource_class, :invitation_token, update_resource_params[:invitation_token])
self.resource = resource_class.where(invitation_token: invitation_token).first
family_tree = self.resource.invited_by.family_tree
family_tree.memberships.create(:user_id => user.id, relation: update_resource_params[:relation])
resource.create_membership_both_ways(params[:user][:invitation_token], params[:user][:relation])
resource.skip_password = true
resource.update_attributes update_resource_params.except(:invitation_token)
redirect_to my_tree_path
else
super
end
end
protected
def update_sanitized_params
devise_parameter_sanitizer.for(:accept_invitation) do |u|
u.permit(:name, :password, :password_confirmation, :invitation_token, :invitation_relation,:avatar, :avatar_cache, :relation)
end
end
def update_resource_params
devise_parameter_sanitizer.sanitize(:accept_invitation) do |u|
u.permit(:email)
end
end
end
When I use pry for debugging, this is what happens when I poke around invitation_token:
[1] pry(#<Users::InvitationsController>)> invitation_token
=> false
[2] pry(#<Users::InvitationsController>)> update_resource_params
Unpermitted parameters: email
=> {"name"=>"", "invitation_relation"=>"uncle"}
Thoughts on what may be causing this, or how I can get rid of this unpermitted paramters :email problem?
Edit 1
These are the relevant routes:
devise_for :users, :controllers => { :invitations => 'users/invitations', :confirmations => 'confirmations' }
devise_scope :user do
post "users/invitation/sign_in" => "users/invitations#invite_sign_in"
end
Edit 2
In my application_controller.rb I have a method that I added :email and it seems to have stopped that error:
def configure_permitted_parameters
# Once I added :email to this method, it stopped throwing the unpermitted error
devise_parameter_sanitizer.for(:accept_invitation) do |u|
u.permit(:name, :email, :last_name, :invitation_relation)
end
end
When using Devise and configuring permitted_params it is best to do this in the application controller,
you can do it one of two ways
def configure_permitted_parameters
devise_parameter_sanitizer.for(:accept_invitation) do |u|
u.permit(:name, :email, :last_name, :invitation_relation)
end
end
OR
def configure_permitted_params
devise_parameter_sanitizer.for(:accept_invitation) << [:name, :email, :last_name, :invitation_relation]
end
I want to change parameter before it saves in model object in create action of Devise registrations_controller
class RegistrationsController < Devise::RegistrationsController
before_filter :configure_permitted_parameters
def create
phone = params[:user][:phone]
replacements = [ [' ', ''], ['-', ''], ['(', ''], [')', ''], ['+', ''] ]
params[:user][:phone] = replacements.each { |replacement| phone.gsub!(replacement[0], replacement[1]) }
super
end
protected
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) do |u|
u.permit(:name, :surname, :patronymic, :username, :phone, :email, :password, :password_confirmation)
end
devise_parameter_sanitizer.for(:account_update) do |u|
u.permit(:name, :surname, :patronymic, :username, :phone, :email, :password, :password_confirmation, :current_password)
end
end
end
The problem is I can't change params[:user][:phone] because it unpermitted: Unpermitted parameters: phone. How can I change it after I get params? Thanks!
These aren't permitted because of Rails Strong Parameters. See the 'Strong Parameters' section in the Devise Github page.
Long story short, something like this should be placed into your ApplicationController, not the Devise controllers:
class ApplicationController < ActionController::Base
before_action :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) << :phone
end
end
My registrations are working properly, I have 3 custom fields: name, avatar, avatar_cache.
Only the :name custom field is giving me a:
Unpermitted parameters: name in console.
I already sanitized strong parameters in Application Controller and the avatar / avatar_cache are saving correctly. Am I missing something?
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:name, :avatar, :avatar_cache, :email, :password, :password_confirmation) }
end
def configure_permitted_parameters
devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:name, :avatar, :avatar_cache, :email, :password, :current_password, :password_confirmation) }
end
Currently, you have redefined the method configure_permitted_parameters, which is why Ruby is picking the latest method definition i.e., the one which whitelists attributes for account_update. So, when you try to sign_up with custom attribute name, you would receive
Unpermitted parameters: name warning
as because of the overwriting the method configure_permitted_parameters, devise has no idea about the custom attributes that should have been whitelisted for sign_up
Your configure_permitted_parameters method should look like:
class ApplicationController < ActionController::Base
before_filter :configure_permitted_parameters, if: :devise_controller?
## ...
protected
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:name, :avatar, :avatar_cache, :email, :password, :password_confirmation) }
devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:name, :avatar, :avatar_cache, :email, :password, :current_password, :password_confirmation) }
end
end