Cancan Load_And_Authorize_Resource Triggers Forbidden Attributes

rails 4 strong params ForbiddenAttributesError

Try changing your whitelist to handle the multi-part date parameter.:

def competition_params
  params.require(:competition).permit(:name, :"date(1i)", :"date(2i)", :"date(3i)", :sex, :category, :country_id, :description, :article, :result)
end

Also, this code doesn't look quite right:

if @competition.save(competition_params)

Assuming you already have a Competition instance assigned to @competition - you should use update_attributes:

if @competition.update_attributes(competition_params)

Otherwise, assign it first:

@competition = Competition.new(competition_params)
if @competition.save

Rails 4 with CanCan: unknown attribute error after including load_and_authorize_resource

Solution came to me in my sleep. Here's what I did to solve the problem:

The only reason comment_params wasn't normally having a problem on create, was because I was excluding the extra :parent_comment_id parameter, like this:

@comment = post.comment.create(comment_params.except(:parent_comment_id))

When CanCan used the comment_params method however, it did no such sanitation. Hence, the problem. It would have been messy to add that sanitation to CanCan on a per-controller basis, so I did what I should have done all along and instead of passing the :parent_comment_id inside :comment, I used hidden_field_tag to pass it outside of :comment and accessed it through plain, old params.

I hope this helps someone else who makes a similar mistake!

ForbiddenAttributesError in Rails 4

This was totally an issue where CanCan is incompatible with Rails 4 and had nothing to do with my Station model or controller.

My workaround was to skip_load_resource for the create action.

before_filter :authenticate_user!, :except => [:show, :index]
load_and_authorize_resource :except => [:show, :index]
skip_load_resource :only => [:create]

Bang! Everything turned green.

UPDATE. Check out CanCanCan it´s the continuation of the now dead cancan and features Rails 4 strong parameters support among other things.

Rails 5 - Forbidden Attributes

If there is a load_and_authorize_resource before action in your controllers, what is happening is that method is taking your parameters and attempting to create an instance before it ever gets to the method. Hence it ignores the strong parameters you have created.

So, of course, it never reaches the method and BAM -- the dreaded FAE.

One remedy is to tweak the before actions...

  load_and_authorize_resource :shipment_method, except: [:create]
  authorize_resource :shipment_method, only: [:create] 

But that is very dull.

The other is to change the name of your strong parameters method to shipment_method_params...

def shipment_method_params
    params.require(:shipment_method).permit(:name, :description, :shipping_url, :active, :supports_tracking, :requires_phone)
  end

Because, Rails and its love of conventions. You can also make separate create_params and update_params if you have different parameters for those actions.

Strong Attributes exception in rails 3. No idea whats causing it

Based on the stack trace, it looks like the assignment that triggers the error is coming from cancan, not from setting the artist's name. Try temporarily disabling the before_filter that uses cancan and see whether that resolves the issue. If it does, then you need to re-enable it, dig into cancan and figure out how to make it play nicely with strong_parameters. I don't use it myself, but I think there's a fork for Rails 4 called cancancan, which might work with rails 3.2 and strong_parameters as well.

Unrelated to your immediate problem, but you should probably also look at upgrading to the latest version in the Rails 3.2.x series to pick up the different security fixes they've released.

---

Related Topics