I get a ActiveModel::MassAssignmentSecurity::Error when I try to running my app to save the login and password details.
got the following error
Can't mass-assign protected attributes: name, password, password_confirmation, salt
app/controllers/users_controller.rb:43:in new'
app/controllers/users_controller.rb:43:increate'
here is the code from the control file
class UsersController < ApplicationController
# GET /users
# GET /users.json
def index
#users = User.all
respond_to do |format|
format.html # index.html.erb
format.json { render json: #users }
end
end
# GET /users/1
# GET /users/1.json
def show
#user = User.find(params[:id])
respond_to do |format|
format.html # show.html.erb
format.json { render json: #user }
end
end
# GET /users/new
# GET /users/new.json
def new
#user = User.new
respond_to do |format|
format.html # new.html.erb
format.json { render json: #user }
end
end
# GET /users/1/edit
def edit
#user = User.find(params[:id])
end
# POST /users
# POST /users.json
def create
#user = User.new(params[:user])
respond_to do |format|
if #user.save
format.html { redirect_to #user, notice: 'User was successfully created.' }
format.json { render json: #user, status: :created, location: #user }
else
format.html { render action: "new" }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
# PUT /users/1
# PUT /users/1.json
def update
#user = User.find(params[:id])
respond_to do |format|
if #user.update_attributes(params[:user])
format.html { redirect_to #user, notice: 'User was successfully updated.' }
format.json { head :no_content }
else
format.html { render action: "edit" }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
# DELETE /users/1
# DELETE /users/1.json
def destroy
#user = User.find(params[:id])
#user.destroy
respond_to do |format|
format.html { redirect_to users_url }
format.json { head :no_content }
end
end
end
Answer in Stack Overflow and credits for Damien Mathieu
In your model, you need to add tag_attributes to the attr_accessible call.
For example :
class User < ActiveRecord::Base
attr_accessible :tags_attributes
end
If you already call it once, you can either add this field as an argument of the method, or make a second call. Both options are equivalent.
Having to specify all accessible parameters wasn't a default until a few months.
This guide has been updated to reflect the change of default. But the new version hasn't been deployed yet, this is why it's not specified.
I think you forgot to add the attr_accessible parameters in your model. Check out Rails API for more information regarding attr_accessbile and what it protects from.
Like waldyr.ar said, also you can use attr_protected
Related
I actually built a 'Offer' scaffold referenced to user (devise) and product. I can add an offer on the specific product page. However, I realise when I try to delete an offer, it is by default redirected to products_url. How can I redirect it back to the specific product page? When I create the comment, it does redirect_to the specific product page. Delete doesnt do so.
I have tried using
Original code
class OffersController < ApplicationController
before_action :set_offer, only: [:show, :edit, :update, :destroy]
def index
#offers = Offer.all
end
def show
end
def new
#offer = Offer.new
end
# GET /offers/1/edit
def edit
end
# POST /offers
# POST /offers.json
def create
#product = Product.find(params[:product_id])
#offer = #product.offers.new(offer_params)
#offer.user = current_user
respond_to do |format|
if #offer.save
format.html { redirect_to #product, notice: 'Offer was successfully created.' }
format.json { render json: #product, status: :created, location: #offer }
else
format.html { render action: "new" }
format.json { render json: #offer.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /offers/1
# PATCH/PUT /offers/1.json
def update
respond_to do |format|
if #offer.update(offer_params)
format.html { redirect_to #offer, notice: 'Offer was successfully updated.' }
format.json { render :show, status: :ok, location: #offer }
else
format.html { render :edit }
format.json { render json: #offer.errors, status: :unprocessable_entity }
end
end
end
# DELETE /offers/1
# DELETE /offers/1.json
def destroy
#offer.destroy
respond_to do |format|
format.html { redirect_to product_url, notice: 'Offer was successfully destroyed.' }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_offer
#offer = Offer.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def offer_params
params.require(:offer).permit(:product_id, :priceOffer, :user_id)
end
end
I tried to modify
def destroy
#offer.destroy
respond_to do |format|
format.html { redirect_to #product, notice: 'Offer was successfully destroyed.' }
format.json { head :no_content }
end
end
It actually showed my error. The 26 is actually offer_id. It should actually redirect to http://localhost:3000/products/18 . It showed me the extracted source as below.
Couldn't find Product with 'id'=26
def set_product
#product = Product.find(params[:id])
end
I am not sure I've understood the question but I think you just need to pass the product's id as an additional parameter, something like:
= link_to 'destroy', offer_path(#offer, product_id: #product.id), method: :delete
and then in your controller use
redirect_to product_path(params[:product_id])
Do this in destroy method.
Product =#offer.product
redirect_to :product
#product you have used is not set. So we need to set product_id here.
That's why we took product id from offer variable through relation
what you did in set_product just use params[:id] to find product, but the params[:id] is refer to the offer_id when you call destroy, that's why you get the RecordNotFoundError. I think you can write this.
def set_product
# maybe you should judge whether #product is nil or not
#product = #offer.product
end
I developed a simple toy app which models a user and a micro-post using scaffolds. This is my user_controller
source "railstutorial.org"
class UsersController < ApplicationController
before_action :set_user, only: [:show, :edit, :update, :destroy]
# GET /users
# GET /users.json
def index
#users = User.all
end
Method Show
# GET /users/1
# GET /users/1.json
def show
end
# GET /users/new
def new
#user = User.new
end
# GET /users/1/edit
def edit
end
# POST /users
# POST /users.json
def create
#user = User.new(user_params)
respond_to do |format|
if #user.save
format.html { redirect_to #user, notice: 'User was successfully created.' }
format.json { render :show, status: :created, location: #user }
else
format.html { render :new }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
Method update
# PATCH/PUT /users/1
# PATCH/PUT /users/1.json
def update
respond_to do |format|
if #user.update(user_params)
format.html { redirect_to #user, notice: 'User was successfully updated.' }
format.json { render :show, status: :ok, location: #user }
else
format.html { render :edit }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
# DELETE /users/1
# DELETE /users/1.json
def destroy
#user.destroy
respond_to do |format|
format.html { redirect_to users_url, notice: 'User was successfully destroyed.' }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_user
#user = User.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def user_params
params.require(:user).permit(:name, :email)
end
end
Show method is used for rendering the user page with URL of the type "users/1".
However update method is to update our user's database, but after the update action is called it redirects us to the "users/1" URL.
In first case http request made is of type "GET" which routes us to "show" function/action, however in second case http request is of type "PATCH" which routes control to "update" function and this update function simply update the database, then why and how does it redirects us to "users/1". Does it call any rendering code somewhere ?
I am a beginner so please excuse me if question is a bit silly, but it would be a great help if someone could answer.
See at your code in update action after if #user.update(user_params)
You are calling redirect_to, it simply redirect you to new route which you provide it.
in this case its redirecting to show action as you are passing the object, you can provide any other route also.
read about redirect_to http://api.rubyonrails.org/classes/ActionController/Redirecting.html
#user is simply a user entry object who got an id in User Model, if you said redirect_to #user, it automatically detects the id of the user found in #user and redirects to /user/:id, rails is brave enough to understand that
I've got an app where:
1. user is on a page viewing their profile information
2. user presses button to email someone from this page
3. after the email is sent, user is sent back to view their profile information again and a notice flashes to tell them if the email worked or not.
I'm having with no. 3. I'm not sure how to set up a redirect (or something else appropriate) that will send a user to view their profile info again
Controller:
class ProfilesController < ApplicationController
before_action :set_profile, only: [:show, :edit, :update, :destroy, :email]
# GET /profiles
# GET /profiles.json
def index
#profiles = Profile.all
end
# GET /profiles/1
# GET /profiles/1.json
def show
end
# GET /profiles/new
def new
#profile = Profile.new
end
# GET /profiles/1/edit
def edit
#profile = Profile.find_by user_id: current_user.id
end
# POST /profiles
# POST /profiles.json
def create
#profile = Profile.new(profile_params)
respond_to do |format|
if #profile.save
format.html { redirect_to #profile, notice: 'Profile was successfully created.' }
format.json { render :show, status: :created, location: #profile }
else
format.html { render :new }
format.json { render json: #profile.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /profiles/1
# PATCH/PUT /profiles/1.json
def update
respond_to do |format|
if #profile.update(profile_params)
format.html { redirect_to #profile, notice: 'Profile was successfully updated.' }
format.json { render :show, status: :ok, location: #profile }
else
format.html { render :edit }
format.json { render json: #profile.errors, status: :unprocessable_entity }
end
end
end
# DELETE /profiles/1
# DELETE /profiles/1.json
def destroy
#profile.destroy
respond_to do |format|
format.html { redirect_to profiles_url, notice: 'Profile was successfully destroyed.' }
format.json { head :no_content }
end
end
def email_profile
destination = params[:to]
share = Share.profile(#profile, destination)
if destination =~ /#/ && share.deliver
redirect_to #profile, notice: 'email sent'
else
redirect_to #profile, notice: 'email failed'
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_profile
#profile = Profile.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def profile_params
params.require(:profile).permit(:user_id, :first_name, :last_name, :dob, :email, :mobile, :address, :suburb, :postcode, :city, :state, :country)
end
end
Share Mailer:
class Share < ActionMailer::Base
default_url_options[:host] = "localhost:3000"
default from: "from#example.com"
def profile(profile, destination)
#profile = profile
mail(to: destination, subject: "sent you stuff")
end
end
Current error:
ActionController::ActionControllerError in ProfilesController#email_profile
Cannot redirect to nil!
I think it has something to do with the :id parameter not being passed through after the email is sent.. but I'm a newbie so I don't really know what I'm talking about.. appreciate any guidance so I can fix this and also better understand ROR :)
You probably need to find a #profile first. I guess something like Profile.find(params[:profile_id]) is missing.
Hi there I am getting a NoMethodError in Users#show error in my Rails 3.2 app using devise.
Error on line 2 of my show below:
<strong>Firstname:</strong>
<%= #user.firstname %>
</p>
<p>
<strong>dateofbirth:</strong>
(If I remove the first name box it does the error for dateofbirth, etc.)
I'm using devise for my users, but generated a user controller in which to place my views.
I'm not sure what the problem is because I ran my migration and firstname exists in the schema
Here's the user controller:
class UsersController < ApplicationController
# before_action :set_user, only: [:show, :edit, :update, :destroy]
def find
#user = User.new
end
def show
#user = User.find(params[:id])
end
# GET /users
# GET /users.json
def index
#users = User.all
end
# GET /users/1
# GET /users/1.json
def show
end
# GET /users/new
def new
#user = User.new
end
# GET /users/1/edit
def edit
end
# POST /users
# POST /users.json
def create
#user = User.new(user_params)
respond_to do |format|
if #user.save
format.html { redirect_to #user, notice: 'User was successfully created.' }
format.json { render action: 'show', status: :created, location: #user }
else
format.html { render action: 'new' }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /users/1
# PATCH/PUT /users/1.json
def update
respond_to do |format|
if #user.update(user_params)
format.html { redirect_to #user, notice: 'User was successfully updated.' }
format.json { head :no_content }
else
format.html { render action: 'edit' }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
# DELETE /users/1
# DELETE /users/1.json
def destroy
#user.destroy
respond_to do |format|
format.html { redirect_to users_url }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_user
#user = User.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def user_params
params.require(:user).permit(:username, :firstname, :dateofbirth, :lastname, :gender, :location, :email, :password)
end
end
Your controller has two show methods defined. Try removing the second one. I believe the empty show method is overwriting your filled-in show method. In your view, #user doesn't exist so it evaluates to nil. Nil has neither a firstname method, nor dateofbirth method. Hence the NoMethodError.
How does rails know how to map to each function in the controller if the routes.rb file only specifies:
resources :users
but inside the UsersController you have
class UsersController < ApplicationController
# GET /users
# GET /users.json
def index
#users = User.all
respond_to do |format|
format.html # index.html.erb
format.json { render :json => #users }
end
end
# GET /users/1
# GET /users/1.json
def show
#user = User.find(params[:id])
respond_to do |format|
format.html # show.html.erb
format.json { render :json => #user }
end
end
# GET /users/new
# GET /users/new.json
def new
#user = User.new
respond_to do |format|
format.html # new.html.erb
format.json { render :json => #user }
end
end
# GET /users/1/edit
def edit
#user = User.find(params[:id])
end
# POST /users
# POST /users.json
def create
#user = User.new(params[:user])
respond_to do |format|
if #user.save
format.html { redirect_to #user, :notice => 'User was successfully created.' }
format.json { render :json => #user, :status => :created, :location => #user }
else
format.html { render :action => "new" }
format.json { render :json => #user.errors, :status => :unprocessable_entity }
end
end
end
# PUT /users/1
# PUT /users/1.json
def update
#user = User.find(params[:id])
respond_to do |format|
if #user.update_attributes(params[:user])
format.html { redirect_to #user, :notice => 'User was successfully updated.' }
format.json { head :no_content }
else
format.html { render :action => "edit" }
format.json { render :json => #user.errors, :status => :unprocessable_entity }
end
end
end
# DELETE /users/1
# DELETE /users/1.json
def destroy
#user = User.find(params[:id])
#user.destroy
respond_to do |format|
format.html { redirect_to users_url }
format.json { head :no_content }
end
end
end
How does rails determine that for instance the index function maps to GET/users while the create function maps to POST/users?
How does resources :users even know to map to the UsersController?
Rails is based around the 'convention over configuration' paradigm.
As such, the "resources :users" line indicates that all the standard CRUD methods are supported by the corresponding UsersController <-- the 'Users' prefix matches to the Controller, Model etc.
Please check the rails routes guide: http://guides.rubyonrails.org/routing.html
And to see in practice what the routes declaration does issue this command in your project directory:
rake routes
Also as mentioned before, stick with conventions and remember that rails is a very opinionated piece of software.