Open mwalsher opened 10 years ago
In my example,
class Group < ActiveRecord::Base
has_and_belongs_to_many :accounts_users
end
class AccountsUser < ActiveRecord::Base
belongs_to :account
belongs_to :user
end
The code that produces the error is (@group
being restricted by protector):
@group.assign_attributes(group_params.merge(account_id: current_account.id))
Request params are:
{"utf8"=>"✓", "_method"=>"patch", "authenticity_token"=>"WRqzvdIH90iXdw2fO8RS+e2bcQHTYmrSDn08V97m7wk=", "group"=>{"name"=>"no user", "description"=>"", "accounts_user_ids"=>["3", ""]}, "commit"=>"Update Group", "action"=>"update", "controller"=>"groups", "id"=>"42"}
The fix for #31 appears to be the cause of this. The problem with this approach is that it's restricting calls on HABTM associations where there is no explicitly defined model/protect block. Is that intentional? This makes sense for has_many :through associations, but perhaps not for HABTM.
Let me know your thoughts. I'd be happy to take a stab at a fix for this if you could provide some direction. Perhaps simply checking the reflection for HABTM and not restricting in that case will work?
E.g. inside build_record_with_protector
in Protector::Adapters::ActiveRecord::Association
, a check for habtm could be added:
if !protector_subject? or (reflection.parent_reflection and reflection.parent_reflection[1].macro == :has_and_belongs_to_many)
return build_record_without_protector(*args)
else
build_record_without_protector(*args).restrict!(protector_subject)
end
(Perhaps there is a better way to check for habtm, but there have been some changes in the reflections behaviour in AR per https://github.com/rails/rails/issues/14682)
Any thoughts on this?
You must be busy :)
I'm upgrading to rails 4.1.5 and seem to keep running into protector-related issues. Have you had a chance to test things out in > 4.1?
The issue I'm running into now is the following error message on save:
This is despite having the strong_parameters config setting disabled. Any ideas?