Search code examples
ruby-on-railsmongodbmongoidstrong-parametersmoney-rails

Money-rails field is being filtered out by strong parameters in Rails 4 + Mongoid

I'm using Rails 4+ MongoDB (mongoId) + money-rails gem and have these 2 models:

class MyModel
  field :date, type: Date
  field :amount, type: Money   
  ..............
end

class OtherModel < MyModel
  ........
end

On the controller the permit params functions is as follows:

def my_model_params
  base=[:field1, field2, :field3, :amount]
  params.permit(:field11, :field22, :field33, :field44, other_model: base)

end

Now ,the amount field is Money type, but before that it was a float field. With float, the create method worked without problems, but now that the :amount field is of type Money, I'm getting on the logfile the message Unpermitted parameter: amount. This happens when I want to create a new OtherModel object:

OtherModel.create(field1: "aaa", field2: "bbb", field3: "ccc", :amount=>Money.new(12345))

I've tried several ways of defining the my_model_params method so that it accepts the amount field, including all the options related to this I found at StackOverflow, but I keep getting the same error. The only way I found of making this work is by using permit!

def my_model_params
  base=[:field1, field2, :field3, :amount]
  params.permit!

end

Which works because it allows all fields, but it is obviously not a good option for mass assignment protection.

On the hash of params, the amount field comes as follows, due to the money-rails gem:

"amount"=>#<Money fractional:12345 currency:USD>

Has someone found a similar issue or knows how to declare the amount field?

Thanks! Marco

Solution

  • Well, I was able to find a solution for this, based on this link . I'm not sure why the amount is filtered out if you add it as described above, but in order to make it work, I used the following solution:

    def my_model_params
   base=[:field1, field2, :field3]
   params.permit(:field11, :field22, :field33, :field44, other_model: base).tap do |whitelisted|
                  whitelisted[:other_model][:amount] = params[:other_model][:amount]
              end                
end

    This will still report the Unpermitted parameter: amount message on the logs, but will allow you to mass assign the amount field as initially intended.

    Hope it helps someone in the future.

    Any feedback about why the amount field is being filtered in the first place, will be really appreciated.

    Cheers!