search

bogdan / datagrid

Gem to create tables grids with sortable columns and filters
MIT License
1.02k stars 115 forks source link

Using strong parameters #240

Closed pmichna closed 6 years ago

pmichna commented 6 years ago

In my controller I have code like this:

@workers_grid = WorkersGrid.new(params[:workers_grid]) do |scope|
  scope.page(params[:page])
end

However, this throws an ActiveModel::ForbiddenAttributesError. It used to work before but probably in some Rails update now it is required to use strong params.

params.fetch(:workers_grid, {}).permit!

I have come up with the above, but this does not look nice.

I'm using Rails 5.1.4.

bogdan commented 6 years ago

Can you show me the backtrace of the issue?

pmichna commented 6 years ago 
ActiveModel::ForbiddenAttributesError - ActiveModel::ForbiddenAttributesError:
  app/controllers/workers_controller.rb:6:in `index'
bogdan commented 6 years ago

Please give a full backtrace with rails internals.

pmichna commented 6 years ago

Sure.

Started GET "/workers?workers_grid%5Bdescending%5D=false&workers_grid%5Bis_active%5D=YES&workers_grid%5Border%5D=last_name" for 127.0.0.1 at 2017-10-30 11:58:04 +0100
Processing by WorkersController#index as HTML
  Parameters: {"workers_grid"=>{"descending"=>"false", "is_active"=>"YES", "order"=>"last_name"}}
  User Load (0.8ms)  SELECT  "users".* FROM "users" WHERE "users"."is_active" = $1 AND "users"."id" = $2 ORDER BY "users"."id" ASC LIMIT $3  [["is_active", "t"], ["id", 139], ["LIMIT", 1]]
  Permission Exists (1.2ms)  SELECT  1 AS one FROM "permissions" INNER JOIN "user_permissions" ON "permissions"."id" = "user_permissions"."permission_id" WHERE "user_permissions"."user_id" = $1 AND "permissions"."name" = $2 LIMIT $3  [["user_id", 139], ["name", "manager"], ["LIMIT", 1]]
Completed 500 Internal Server Error in 11ms (ActiveRecord: 2.0ms)

ActiveModel::ForbiddenAttributesError - ActiveModel::ForbiddenAttributesError:
  app/controllers/workers_controller.rb:6:in `index'

Started POST "/__better_errors/56389d521ff705b0/variables" for 127.0.0.1 at 2017-10-30 11:58:04 +0100
pmichna commented 6 years ago

@bogdan Using datagrid 1.5.4 - it works without strong params. Using datagrid 1.5.5 or 1.5.6 introduces the error.

bogdan commented 6 years ago

@pmichna I think this is the case now: everything has to be permitted to be passed to Grid.

pmichna commented 6 years ago

Ok. I guess it's time to update docs and templates. :)

bogdan commented 6 years ago

You know - I decided to disable that forbidden attributes by default. In 99% of cases grids don't have security issues on attributes assignment. Use version 1.5.7 to fix the issue.

pmichna commented 6 years ago

Ok. Thanks for such a quick reaction to the problem! :+1: