Strong Parameters integration is broken for create

[antlypls]

Shortly speaking, Model.restrict!(context).create!(params[:model]) throws ActiveModel::ForbiddenAttributesError exception.

Now more detailed example. Consider following Blog model with name attribute.

class Blog < ActiveRecord::Base
  protect do |context|
    if context
      can :create
    end
  end
end

The following test fails with ActiveModel::ForbiddenAttributesError (rails 4.0.2 and protector 0.7.2).

describe Blog do
  it 'can be created using strong parameters' do
    params = ActionController::Parameters.new(blog: {name: 'Blog'})
    expect{
      Blog.restrict!(true).create!(params[:blog])
    }.to change(Blog, :count).by(1)
  end
end

It looks like it's possible to create new record only using new and save.

[inossidabile]

0.7.4 released.

[antlypls]

Tried 0.7.4. The issue is still there.

[inossidabile]

It's very unlikely. 0.7.4 has the spec for your case. It's green. Same goes to your sample – it works here.

[antlypls]

Ha! I figured it out. My example shows issue for create! method, your test checks create method. So add expect{ dummy.restrict!.create!(params(string: 'test')).delete }.to_not raise_error to engine_spec, and you'll get ActiveModel::ForbiddenAttributesError.

[inossidabile]

:scream:

[inossidabile]

Can you please check master before I release .5?

[antlypls]

Original issue is fixed. But I noticed similar problem for create! on association. Code like blog.restrict!(true).posts.create!(params[:post]) raises same error. I can write more detailed sample if needed.

[inossidabile]

yeah if you can write a spec that would be awesome

[antlypls]

Ok. Let's keep this one as closed, i'll submit problem with association in separate issue. Releasing .5 is up to you. It makes sense for me to wait, until all issues related to strong parameters will be fixed.

[inossidabile]

Yep. We'll wait.