Rails 3.2.3 Mass Assignment Issue in Authorizations

songkick / oauth2-provider

Simple OAuth 2.0 provider toolkit

MIT License

529 stars 148 forks source link

Rails 3.2.3 Mass Assignment Issue in Authorizations #25

Closed jpmcgrath closed 11 years ago

jpmcgrath commented 12 years ago

Hi there,

In my Rails 3.2 controller action when I use the following code:

@auth = OAuth2::Provider::Authorization.new(resource, params) @auth.grant_access!

I am getting the following exception:

ActiveModel::MassAssignmentSecurity::Error (Can't mass-assign protected attributes: owner, client): app/controllers/users/registrations_controller.rb:14:in `create'

I believe this is because in Rails 3.2.3 there was a security change that sees attribute mass assignment change from defaulting to off if no attr_accessible is declared.

Has anyone else encountered this?

edgar commented 12 years ago

Hey,

I have the same issue:

ActiveModel::MassAssignmentSecurity::Error (Can't mass-assign protected attributes: owner, client): config/initializers/oauth2_provider.rb:8:in block in <top (required)>' app/controllers/oauth_controller.rb:6:innew' app/controllers/oauth_controller.rb:6:in `access_token'

edgar commented 12 years ago

@jpmcgrath I fixed just adding attr_accessible in the model

https://github.com/edgar/oauth2-provider/commit/c68ba4f17f93646394cdd379f60da277ddf8cb5a

Now is working in rails 3.2.6, with default settings

edgar commented 12 years ago

Here the pull request for this little fix: https://github.com/songkick/oauth2-provider/pull/29

jpmcgrath commented 11 years ago

@edgar Thanks for that. I ended up coming up with the same solution but then ran into other issues. In the end I switched over to another oauth2 library as I suspected (maybe wrongly) that the projects maintainer isn't very active here.

Anyway, thanks again. Good luck with it!

Cheers.

edgar commented 11 years ago

@jpmcgrath just curious, what is the another lib? this one: https://github.com/assaf/rack-oauth2-server ?

Thanks

jpmcgrath commented 11 years ago

@edgar Didn't see that one in my search, but it looks nice. I tried Doorkeeper and a few others but ended up settling on https://github.com/pelle/oauth-plugin/

A difficult choice to be sure.

jcoglan commented 11 years ago

We've just done a bunch of work on this code -- we have Authorization.attr_accessible nil and have adjusted internal calls appropriately. The pull request #29 referenced above has been closed.