Unpermitted params security warning

GeorgeFromTheBank

unread,

May 24, 2015, 3:54:05 PM5/24/15

to rubyonra...@googlegroups.com

Hello I'm quite new to the rails 4 and I've not dealt with this kind of nested security warnings, I basically have a model (receipt), with has many items relation. When I save a receipt, I want to have an options to save many items as well from the same form, I ll skip the ui part and get back to the back end, this is how my params look like, when I print params in the create action :

{"utf8"=>"✓",

"authenticity_token"=>"0LPWkN5uG+yHrVt99f4bBN+al0FCARNhtV91NysV0TM=",

"receipt"=>

{"store_id"=>"2",

"purchase_date"=>"05/05/2015",

"items_attributes"=>

{"1432495749993"=>{"item"=>{"name"=>"ssd", "amount"=>"22", "unit_id"=>"2", "quantity"=>"1", "person_id"=>"2", "project_id"=>""}},

"1432495820856"=>{"item"=>{"name"=>"ds", "amount"=>"22", "unit_id"=>"3", "quantity"=>"1", "person_id"=>"2", "project_id"=>""}}}},

"action"=>"create",

"controller"=>"receipts"}

I've tried following and more but none of it didn't work :

params.require(:receipt).permit(:store_id, :purchase_date, :items_attributes)

params.require(:receipt).permit(:store_id, :purchase_date, items_attributes: {'1432495749993' => {'item' => [:name]}})

params.require(:receipt).permit(:store_id, :purchase_date, items_attributes: {'1432495749993' => {'item' => [:name]}}).permit!

params.require(:receipt).permit(:store_id, :purchase_date, items_attributes: {'1432495749993' => {'item' => [:id, :name, :amount, :unit_id, :quantity, :person_id, :project_id]}})

And my nested params don't show, this is the best result I got :

{"store_id"=>"2", "purchase_date"=>"05/05/2015", "items_attributes"=>{"1432495749993"=>{}=>{}}}

I'm getting to the point when I don't know what to need to ask somebody for help, what am I doing wrong here?

GeorgeFromTheBank

unread,

May 26, 2015, 8:26:59 PM5/26/15

to rubyonra...@googlegroups.com

Nobody knows about this seriously?

BuyzLots

unread,

May 26, 2015, 8:41:57 PM5/26/15

to rubyonra...@googlegroups.com

try this:

params.require(:receipt).permit(:store_id, :purchase_date, items_attributes: [:name, :amount, :unit_id, :quantity, :person_id, :project_id])

Matt

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
To post to this group, send email to rubyonra...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/7d7ad404-5f79-4e15-8f7a-6c0abea897e5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

GeorgeFromTheBank

unread,

May 26, 2015, 9:02:50 PM5/26/15

to rubyonra...@googlegroups.com

Hi Matt,

Thanks for your response. This is the original params without authenticity token and controller :

"receipt"=>

{"store_id"=>"3",

"purchase_date"=>"05/05/2015",

"items_attributes"=>{"1432688411008"=>{"item"=>{"name"=>"Test", "amount"=>"2.2", "unit_id"=>"2", "quantity"=>"1", "person_id"=>"", "project_id"=>"2"}}}}

This is what I get with what you suggested :

params.require(:receipt).permit(:store_id, :purchase_date, items_attributes: [:name, :amount, :unit_id, :quantity, :person_id, :project_id])

Unpermitted parameters: item

=> {"store_id"=>"3", "purchase_date"=>"05/05/2015", "items_attributes"=>{"1432688411008"=>{}}}

Still doesn't allow me to select items attributes.

André Orvalho

unread,

Jun 2, 2015, 7:43:41 AM6/2/15

to rubyonra...@googlegroups.com

you need to read documentation: http://edgeguides.rubyonrails.org/action_controller_overview.html#strong-parameters

Sunkuru Abhishek

unread,

Jun 3, 2015, 1:17:23 AM6/3/15

to rubyonra...@googlegroups.com

Hi George,

Have added following lines to receipt model?

accepts_nested_attributes_for :items,:allow_destroy => true

Thanks

Abhishek

Reply all

Reply to author

Forward