Search code examples
ruby-on-railsstrong-parameterssocial-stream

ActiveModel::ForbiddenAttributes with Rails engine

I am using a Rails engine (Social Stream), that uses the strong_parameters gem in a rails 3 app. When trying to update I get errors but cannot identify where the problem is.

I am using a modal ajax form on an update action, with update_attributes. I have added the attributes being updated to a private allowed_params method, but am getting a ActiveModel::ForbiddenAttributes (ActiveModel::ForbiddenAttributes): error

ActiveModel::ForbiddenAttributes (ActiveModel::ForbiddenAttributes):
  <a href="txmt://open?  url=file:///Users/sean/Dropbox/fluent/fluent100/app/controllers/sentences_controller.rb&amp;line=18&amp;column=1">app/controllers/sentences_controller.rb:18:in `update'</a>

Using the documentation on strong parameters (https://github.com/rails/strong_parameters#readme), I tried to identify what the problem attribute could be, but the rails log does not provide any information.

I tried setting config.action_controller.action_on_unpermitted_parameters = :log in development.rb but my application will then not start with:

undefined method `action_on_unpermitted_parameters=' for ActionController::Base:Class (NoMethodError)

from my controller:

def update
  @sentence.update_attributes params[:sentence]
    if @sentence.valid?
    flash[:notice] = 'Sentence was successfully updated.'
  end
  .
  .

 private
   def allowed_params
     [:id, :title, :text, :description, :difficulty, :sentence]
   end

The allowed_params method is referenced in the gem code, and appears to pass the allowed parameters to the strong_paramaters gem.

protected
    def whitelisted_params
      return {} if request.present? and request.get?

      params.require(self.class.model_class.to_s.underscore.to_sym).permit( *all_allowed_params )
    end

    def allowed_params
    [] # This should be overriden in controllers to allow extra params
  end

  def all_allowed_params
    COMMON_PARAMS  |
      activity_object_property_params |
      allowed_params
  end

Additional notes:

https://groups.google.com/forum/?fromgroups#!searchin/social-stream/whitelist/social-stream/_aManxsvGHI/_XNHZVwB1C4J

* UPDATE * The update seems to work when I use:

update!

instead of 

@sentence.update_attributes params[:sentence]

It's not clear to me why.

Solution

  • The update! method works, and I have elected to go with that. 

    def update
   update! do |success, failure|
     failure.html { render 'edit_modal', layout: false }
     success.html {  
        load_sentences
        render partial: 'table', locals: { sentences: @sentences }
     }
   end
end