cancan icon indicating copy to clipboard operation
cancan copied to clipboard

Published 20 hours ago verified publisher icon ryanb

CanCan ActiveModel::ForbiddenAttributesError with rails 4

Open Crystark opened this issue 11 years ago • 80 comments

Hi,

I'm quite new to rails and i'm going for a Devise-CanCan-SimpleRoles approach on my project. I'm using CanCan 1.6.9. It seems that since i rebuilt the project from scratch on rails4 beta1, i'm getting a ActiveModel::ForbiddenAttributesError when i try to create any entity using a controller wich extends my ApplicationController.

This seems to come from :

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception

  # load_and_authorize_resource
  before_filter do |controller|
    controller.class.cancan_resource_class.new(controller).load_and_authorize_resource unless controller.devise_controller?
  end
  before_filter :authenticate_user!

  private

  # Catching exceptions from Cancan
  rescue_from CanCan::AccessDenied do |exception|
    redirect_to :home, alert: exception.message
  end

end

I've tried using load_and_authorize_resource instead but it does the same error.

I think this might have to do with https://github.com/ryanb/cancan/pull/763 and https://github.com/ryanb/cancan/issues/571 but as i'm still quite new to rails, i'd rather be sure this issue is reported.

Thanks

Here's the full stacktrace of the error:

/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activemodel/lib/active_model/forbidden_attributes_protection.rb:21:in `sanitize_for_mass_assignment'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activerecord/lib/active_record/attribute_assignment.rb:21:in `assign_attributes'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activerecord/lib/active_record/core.rb:174:in `initialize'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activerecord/lib/active_record/inheritance.rb:24:in `new'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activerecord/lib/active_record/inheritance.rb:24:in `new'
cancan (1.6.9) lib/cancan/controller_resource.rb:85:in `build_resource'
cancan (1.6.9) lib/cancan/controller_resource.rb:66:in `load_resource_instance'
cancan (1.6.9) lib/cancan/controller_resource.rb:32:in `load_resource'
cancan (1.6.9) lib/cancan/controller_resource.rb:25:in `load_and_authorize_resource'
app/controllers/application_controller.rb:6:in `block in <class:ApplicationController>'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activesupport/lib/active_support/callbacks.rb:408:in `_run__4520472595650506565__process_action__callbacks'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activesupport/lib/active_support/callbacks.rb:78:in `run_callbacks'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/abstract_controller/callbacks.rb:17:in `process_action'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_controller/metal/rescue.rb:29:in `process_action'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_controller/metal/instrumentation.rb:31:in `block in process_action'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activesupport/lib/active_support/notifications.rb:158:in `block in instrument'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activesupport/lib/active_support/notifications/instrumenter.rb:20:in `instrument'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activesupport/lib/active_support/notifications.rb:158:in `instrument'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_controller/metal/instrumentation.rb:30:in `process_action'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_controller/metal/params_wrapper.rb:245:in `process_action'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activerecord/lib/active_record/railties/controller_runtime.rb:18:in `process_action'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/abstract_controller/base.rb:136:in `process'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/abstract_controller/rendering.rb:44:in `process'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_controller/metal.rb:196:in `dispatch'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_controller/metal/rack_delegation.rb:13:in `dispatch'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_controller/metal.rb:232:in `block in action'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/routing/route_set.rb:80:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/routing/route_set.rb:80:in `dispatch'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/routing/route_set.rb:48:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/journey/router.rb:69:in `block in call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/journey/router.rb:57:in `each'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/journey/router.rb:57:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/routing/route_set.rb:645:in `call'
lib/my/middleware/locale.rb:20:in `call'
warden (1.2.1) lib/warden/manager.rb:35:in `block in call'
warden (1.2.1) lib/warden/manager.rb:34:in `catch'
warden (1.2.1) lib/warden/manager.rb:34:in `call'
rack (1.5.2) lib/rack/etag.rb:23:in `call'
rack (1.5.2) lib/rack/conditionalget.rb:35:in `call'
rack (1.5.2) lib/rack/head.rb:11:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/middleware/params_parser.rb:27:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/middleware/flash.rb:241:in `call'
rack (1.5.2) lib/rack/session/abstract/id.rb:225:in `context'
rack (1.5.2) lib/rack/session/abstract/id.rb:220:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/middleware/cookies.rb:452:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activerecord/lib/active_record/query_cache.rb:36:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activerecord/lib/active_record/connection_adapters/abstract/connection_pool.rb:632:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activerecord/lib/active_record/migration.rb:348:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activesupport/lib/active_support/callbacks.rb:374:in `_run__2034566760718777775__call__callbacks'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activesupport/lib/active_support/callbacks.rb:78:in `run_callbacks'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/middleware/callbacks.rb:27:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/middleware/reloader.rb:64:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/middleware/remote_ip.rb:76:in `call'
better_errors (0.7.0) lib/better_errors/middleware.rb:58:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/railties/lib/rails/rack/logger.rb:38:in `call_app'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/railties/lib/rails/rack/logger.rb:21:in `block in call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activesupport/lib/active_support/tagged_logging.rb:67:in `block in tagged'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activesupport/lib/active_support/tagged_logging.rb:25:in `tagged'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activesupport/lib/active_support/tagged_logging.rb:67:in `tagged'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/railties/lib/rails/rack/logger.rb:21:in `call'
quiet_assets (1.0.2) lib/quiet_assets.rb:18:in `call_with_quiet_assets'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/middleware/request_id.rb:21:in `call'
rack (1.5.2) lib/rack/methodoverride.rb:21:in `call'
rack (1.5.2) lib/rack/runtime.rb:17:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/activesupport/lib/active_support/cache/strategy/local_cache.rb:72:in `call'
rack (1.5.2) lib/rack/lock.rb:17:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/actionpack/lib/action_dispatch/middleware/static.rb:64:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/railties/lib/rails/engine.rb:511:in `call'
/data/home/mainuser/.bundler/ruby/2.0.0/rails-12f785fdc7c2/railties/lib/rails/application.rb:96:in `call'
rack (1.5.2) lib/rack/lock.rb:17:in `call'
rack (1.5.2) lib/rack/content_length.rb:14:in `call'
rack (1.5.2) lib/rack/handler/webrick.rb:60:in `service'
/usr/local/rvm/rubies/ruby-2.0.0-p0/lib/ruby/2.0.0/webrick/httpserver.rb:138:in `service'
/usr/local/rvm/rubies/ruby-2.0.0-p0/lib/ruby/2.0.0/webrick/httpserver.rb:94:in `run'
/usr/local/rvm/rubies/ruby-2.0.0-p0/lib/ruby/2.0.0/webrick/server.rb:295:in `block in start_thread'

Crystark avatar Mar 11 '13 09:03 Crystark

Hi @Crystark, welcome Rails and CanCan. The error you are running into (ActiveModel::ForbiddenAttributesError) is actually part of Rails 4 and the strong_parameters feature for model attributes. You can read more about how it works here: Edge Guides - Strong Parameters.

Basically this is a way of saying that CanCan isn't ready out of the box for Rails 4. There are a number of work arounds in the issues you referenced. I'd play around with those and see if those work well for you. The other option is to create an authorization system from scratch. @ryanb shows how in the Railscast about strong_parameters Authorization from scratch - Part I Authorization from scratch - Part II (PRO episodes require a subscription).

natebird avatar Mar 11 '13 11:03 natebird

Thanks @natebird

I will try to see those workarounds. Any ideas on if and when CanCan will support strong_parameters ? Thanks again

Edit: As stated in https://github.com/ryanb/cancan/issues/571 one of the workarounds worked for me.

Crystark avatar Mar 12 '13 13:03 Crystark

@Crystark there are a few pull requests waiting to be merged in that help support strong_parameters. Just waiting for @ryanb to pull them in.

natebird avatar Mar 15 '13 17:03 natebird

Oh, and if the issue is resolved can you close it?

natebird avatar Mar 15 '13 17:03 natebird

I'm using Rails 4 rc1 and CanCan 1.6.10 and I'm still getting this error when creating. Is there some additional work I must do to get it going?

miharekar avatar May 16 '13 10:05 miharekar

+1 for this. I'm having the same problem.

tonytonyjan avatar May 24 '13 11:05 tonytonyjan

+1, Using Rails 4 rc and cancan 1.6.1

LorandLorincz avatar May 24 '13 17:05 LorandLorincz

+1, 4.0.0.rc1 + 1.6.10 - any workaround for this configuration?

AntonTrapp avatar May 30 '13 06:05 AntonTrapp

I use: load_and_authorize_resource except: [:create] just so I got it working but that shouldn't be used on production I guess.

miharekar avatar May 30 '13 06:05 miharekar

Thanks, if someone has the same problem: https://github.com/ryanb/cancan/issues/571 describes a workaround. In short:

In the ApplicationController:

before_filter do
  resource = controller_name.singularize.to_sym
  method = "#{resource}_params"
  params[resource] &&= send(method) if respond_to?(method, true)
end

and in the resource controller (for example NoteController):

def note_params
  params.require(:note).permit(:what, :ever)
end

AntonTrapp avatar May 30 '13 06:05 AntonTrapp

Hey, @AntonTrapp! This fixed my issue. CanCan 1.6.10 and Rails 4.0.0.rc1. Thanks.

thenickcox avatar Jun 15 '13 03:06 thenickcox

+1, 4.0.0.rc2 and 1.6.10. @AntonTrapp's fixs works here as well

ashleydw avatar Jun 27 '13 13:06 ashleydw

Thanks @AntonTrapp and I made some changes, now it's compatible with namespaces

  before_filter do
    resource = controller_path.singularize.gsub('/', '_').to_sym
    method = "#{resource}_params"
    params[resource] &&= send(method) if respond_to?(method, true)
  end

jirikolarik avatar Jun 29 '13 13:06 jirikolarik

Here's my workaround: As load_resource will only load if resource is not there. So my approach is simply add a before_action before the load_and_authorize_resource to load the instance_resource in the strong_parameter way.

  # before_action :set_company, only: [:show, :edit, :update, :destroy]
  before_action :load_company, only: :create
  load_and_authorize_resource

  private
    # Use callbacks to share common setup or constraints between actions.
    # def set_company
    #   @company = Company.find(params[:id])
    # end

    def load_company
      @company = Company.new(company_params)
    end

So it's cleaner and dryer without double loading the resource

leckylao avatar Jul 22 '13 02:07 leckylao

+1 on rails 4.0.0.rc2 and cancan 1.6.10

@AntonTrapp / @JiriKolarik workaround is working for me.

amoose avatar Jul 25 '13 20:07 amoose

@AntonTrapp / @JiriKolarik worked for me with Rails 4 release and cancan 1.6.10. Thanks for the short-term fix.

chronosafe avatar Jul 27 '13 01:07 chronosafe

Work around worked for me as well, thanks!

Sovietaced avatar Jul 28 '13 09:07 Sovietaced

Using cancan 1.6.1, ruby 2.0.0p247 and rails 4, and @AntonTrapp worked for me. Thank you.

jziggas avatar Jul 31 '13 04:07 jziggas

i get that error in Rails 4 and cancan (1.6.10) :(

but if i use load_and_authorize_resource except: [:create]

it work thanks for @mrfoto

obelich avatar Aug 05 '13 17:08 obelich

@obelich the problem with that workaround is that any authenticated user will create your used model

alagos avatar Aug 05 '13 19:08 alagos

+1 @AntonTrapp workaround fixes problem for me as well on 4.0.0.

socketwiz avatar Aug 09 '13 16:08 socketwiz

:+1: Thanks @AntonTrapp for the workaround!

danawoodman avatar Aug 10 '13 07:08 danawoodman

Not my workaround, see https://github.com/ryanb/cancan/issues/571 - credits go to mcbsys

AntonTrapp avatar Aug 10 '13 07:08 AntonTrapp

@obelich @alagos yeah, DON'T use my "solution". As I've said, it's just to get it going but shouldn't be used on production. It was a temp fix I used so I could work without going in depth about this issue. I would suggest either the solution @AntonTrapp reposted or the one from @lecky which is even nicer IMHO.

miharekar avatar Aug 10 '13 07:08 miharekar

Thanks @AntonTrapp and @JiriKolarik hopefully we will see a perm fix soon.

burmjohn avatar Aug 20 '13 19:08 burmjohn

:+1: for solution proposed by @AntonTrapp / @JiriKolarik

rafaelcgo avatar Aug 23 '13 18:08 rafaelcgo

I have been pulling out my hairs since 2 hours because of this!.. Thank you for opening it up.

Fix worked for me too. :+1:

scaryguy avatar Aug 25 '13 02:08 scaryguy

@AntonTrapp / @JiriKolarik you are both awesome! Thanks!

pieterbotha avatar Aug 25 '13 04:08 pieterbotha

@AntonTrapp fix works for me without even using the resource controller. 2.0.0-p247 + 1.6.10

Anyone else?

jgrannas avatar Aug 29 '13 01:08 jgrannas

@lecky, thanks fix works for me.

firo avatar Aug 30 '13 13:08 firo

Trying to decide between django, which has authorization built in and Rails 4. This bug has me worried about choosing Rails. Cancan hasn't been updated in 2 months and Rails 4 has been in beta and released for far longer. Are there any other authorization alternatives better maintained?

mgutz avatar Aug 31 '13 17:08 mgutz

Work around no longer working.

 module ForbiddenAttributesProtection # :nodoc:
    protected
      def sanitize_for_mass_assignment(attributes)
        if attributes.respond_to?(:permitted?) && !attributes.permitted?
          raise ActiveModel::ForbiddenAttributesError
        else
          attributes
        end
      end
  end

binyamindavid avatar Oct 11 '13 16:10 binyamindavid

@AntonTrapp Solution still Working Well

Theminijohn avatar Oct 19 '13 16:10 Theminijohn

I am getting the same problem...

cancan (1.6.10) rails (4.0.0)

shanepinnell avatar Oct 20 '13 20:10 shanepinnell

@AntonTrapp solution still works you are right, @JiriKolarik 's one is broken.

binyamindavid avatar Oct 20 '13 21:10 binyamindavid

It's working fine, you need use it right. http://stackoverflow.com/questions/19273182/activemodelforbiddenattributeserror-cancan-rails-4-model-with-scoped-con/19504322#19504322

jirikolarik avatar Oct 20 '13 21:10 jirikolarik

Sorry, haven't implemented solution yet, just re-iterating that the originating issue still exists.

EDIT: Just tested and the @AntonTrapp workaround is working for me:

cancan (1.6.10) rails (4.0.0)

shanepinnell avatar Oct 20 '13 22:10 shanepinnell

+1, @AntonTrapp 's workaround worked for me as well just now!

ndemoreau avatar Oct 30 '13 12:10 ndemoreau

just used @leckylao method and it works great. very clean. Thanks!

kacole2 avatar Nov 04 '13 17:11 kacole2

The problem with @leckylao and @AntonTrapp methods is that I get a Moped "duplicate key error" on id with them... Any idea?

hiromipaw avatar Nov 07 '13 15:11 hiromipaw

Can you try to create a new rails app, create a simple scaffold with a string, throw in only cancan and retry it to make sure that the problem is the above fix? If it is still happening, what versions (rails and cancan) are you using?

AntonTrapp avatar Nov 07 '13 16:11 AntonTrapp

Using cancan (1.6.10) Using devise (2.2.4) from git://github.com/plataformatec/devise.git (at rails4) Have been trying to understand why it is happening all day. Can't make another app at the moment... but if I find a fix will surely post it here.

hiromipaw avatar Nov 07 '13 16:11 hiromipaw

It looks like a data issue. Try rake db:setup to clear up all data and go to your new view then it should work.

Sent from my iPad

Regards, Lecky Lao

On 8 Nov 2013, at 2:16 am, Silvia [email protected] wrote:

The problem with @leckylao and @AntonTrapp methods is that I get a Moped "duplicate key error" on id with them... Any idea?

— Reply to this email directly or view it on GitHub.

leckylao avatar Nov 07 '13 20:11 leckylao

No it was actually in a validation hook in the model... had to move it to after_create instead of before_create.

Wondering why...

Silvia

On 7 November 2013 21:47, Lecky Lao [email protected] wrote:

It looks like a data issue. Try rake db:setup to clear up all data and go to your new view then it should work.

Sent from my iPad

Regards, Lecky Lao

On 8 Nov 2013, at 2:16 am, Silvia [email protected] wrote:

The problem with @leckylao and @AntonTrapp methods is that I get a Moped "duplicate key error" on id with them... Any idea?

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHubhttps://github.com/ryanb/cancan/issues/835#issuecomment-28004810 .

hiromipaw avatar Nov 08 '13 17:11 hiromipaw

@hiromipaw any particular reason you're using such an old version of Devise?

miharekar avatar Nov 08 '13 17:11 miharekar

It was suggested for rails 4 support a while ago.. then I didn't check to see if there was an update.. :(

On 8 November 2013 18:46, Miha Rekar [email protected] wrote:

@hiromipaw https://github.com/hiromipaw any particular reason you're using such an old version of Devise?

— Reply to this email directly or view it on GitHubhttps://github.com/ryanb/cancan/issues/835#issuecomment-28082436 .

hiromipaw avatar Nov 08 '13 18:11 hiromipaw

@AntonTrapp solution worked for me on rails 4 with mongoid.

Bramanga avatar Nov 11 '13 18:11 Bramanga

It worked great: rails 4 and CanCan 1.6.10.

For future readers and newcomers: this comes at the end of your controller and :what, :ever are the model attributes ;) ...

def note_params params.require(:note).permit(:what, :ever) end

ricbermo avatar Dec 13 '13 21:12 ricbermo

In case anyone else has this issue: the @AntonTrapp solution was causing me problems in a sort action where the resource params was just an array of sorted ids. To fix I just named the before filter so that, in the appropriate controller, I can just skip_before_filter :cancan_hack, only: [:sort]

class ApplicationController < ActionController::Base
  protect_from_forgery
  before_filter :cancan_hack
 ...
  private

  def cancan_hack
    return if request.get?
    resource = controller_name.singularize.to_sym
    method = "#{resource}_params"
    params[resource] &&= send(method) if respond_to?(method, true)
  end

end

jdowd avatar Dec 17 '13 05:12 jdowd

@AntonTrapp worked for me too in rails 4 :+1:

anand9 avatar Jan 09 '14 06:01 anand9

@AntonTrapp worked for me in rails 4. Thanks a lot.

ronniee avatar Feb 04 '14 08:02 ronniee

@AntonTrapp / @mcbsys / @JiriKolarik worked for me too. Thanks guys!

eljaydub avatar Feb 18 '14 10:02 eljaydub

@JiriKolarik hack works for my namespaced user model, thanks. By the way, it's been a year and this is still an issue, is there any ideas on when will this be really fixed?

zavan avatar Feb 18 '14 22:02 zavan

Thanks a lot for CanCan, but it seems now abandoned, I've moved to Pundit: https://github.com/elabs/pundit

zavan avatar Feb 18 '14 23:02 zavan

@leckylao works great for me, very easy to implement too. Thanks!

levymetal avatar Mar 05 '14 11:03 levymetal

Thanks for @AntonTrapp 's suggestion, it works fine for me either with rails 4.0.3 + cancan 1.6.8

jgnan avatar Mar 06 '14 07:03 jgnan

So I ran into this issue and neither @AntonTrapp nor @JiriKolarik's fixes worked for me. I have a controller thats a completely different namespace from the model being edited (so think Store::Product and Admin::Product), which meant that the "Load resource" part of load_and_authorize_resource wasn't working. The fix was to use my own loader, and skip the CanCan loader:

    before_action :set_store_product, only: [:edit, :show, :update, :destroy]
    authorize_resource :class => Store::Product.
    # [/snip]
    private
      def set_store_product
         @store_product = Store::Product.find(params[:id])
      end

Hope this helps someone else!

jenheilemann avatar Mar 14 '14 15:03 jenheilemann

Worked with Rails 4.0.3, CanCan 1.6.10. Thanks @AntonTrapp !

siddharthbhagwan avatar Mar 20 '14 09:03 siddharthbhagwan

Here is what worked for me....

  • create file under config/initializers/cancan.rb
module CanCan
  class ControllerResource
    alias_method :original_resource_params_by_namespaced, :resource_params_by_namespaced_name

    def resource_params_by_namespaced_name
      if (@controller && @params && @params[:action] == "create")
        strong_params =  @controller.method("#{namespaced_name.name.downcase}_params".to_sym)
        params = strong_params.call if defined? strong_params
      end
      params ||=  original_resource_params_by_namespaced
    end
  end
end
  • Restart your rails app.

Note: This fix/workaround only works if your controller has the usual strong params method. For example, in FooController there should be:

def foo_params
  params.require(:foo).permit(:what, :ever)
end

bman917 avatar Mar 29 '14 13:03 bman917

Just FYI we now have CanCanCan which fixes this and many other issues on the original CanCan repo :wink:

miharekar avatar Mar 29 '14 21:03 miharekar

WARNING: before you all run to CanCanCan, it is 1.x only!

AntonTrapp avatar Mar 30 '14 05:03 AntonTrapp

Well 2.x isn't usable yet anyway, right? And they say they will start working on 2.x when they figure out what exactly @ryanb had in mind building it. What I'm trying to say is that their 2.x is the same as CanCan 2.x - there is no work being done anywhere :smile:

miharekar avatar Mar 30 '14 06:03 miharekar

It is for some, just don't want them to be disappointed (like me, rushed to your site immediately lol).

AntonTrapp avatar Mar 30 '14 06:03 AntonTrapp

I changed for Cancancan and did not have to change even one line of code for it to work. And FYI the fix I talked about in my first post has always been working.

Crystark avatar Mar 30 '14 10:03 Crystark

I just switched to CanCanCan and can also confirm that it is working without changing any code. I was able to remove the fix_cancan_forbidden_attr_error work-around in my application_controller.rb with any problems after switching to CanCanCan.

eljaydub avatar Apr 09 '14 09:04 eljaydub

@AntonTrapp +1 Cool, thanks

Feuda avatar Jun 17 '14 09:06 Feuda

Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013. Since only Ryan himself has commit permissions, the CanCan project is on a standstill.

CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.

If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.

We hope to see you on the other side!

xhoy avatar Jul 01 '14 07:07 xhoy

I lost 2 hours trying to find this bug ... Thank you!

candidosales avatar Jul 07 '14 05:07 candidosales

If you are getting the same error on new ( giving default params from the url) you can do this :+1:

module CanCan
  class ControllerResource
    alias_method :original_resource_params_by_namespaced, :resource_params_by_namespaced_name

    def resource_params_by_namespaced_name
      if (@controller && @params && (@params[:action] == 'create' || (@params[namespaced_name.name.downcase] && @params[:action] == 'new')))
        strong_params =  @controller.method("#{namespaced_name.name.downcase}_params".to_sym)
        params = strong_params.call if defined? strong_params
      end
      params ||=  original_resource_params_by_namespaced
    end
  end
end

ombr avatar Jul 28 '14 17:07 ombr

Hi guys

i started rails in this week only. (i am working with piggyback demo and getting this error) I am getting this error in rails admin. any idea where i can apply the fix given by @AntonTrapp or by @bman917

Please help.

tc cheers, karan

i cannot find where i can apply the workaround in rails admin

karan-ta avatar Sep 06 '14 10:09 karan-ta

@kodeycom switch to cancancan

miharekar avatar Sep 06 '14 11:09 miharekar

Switch to cancancan

On Sep 6, 2014, at 12:05, kodeycom [email protected] wrote:

Hi guys

i started rails in this week only. (i am working with piggyback demo and getting this error) I am getting this error in rails admin. any idea where i can apply the fix given by @AntonTrapp https://github.com/AntonTrapp or by @bman917 https://github.com/bman917 Please help.

tc cheers, karan

i cannot find where i can apply the workaround in rails admin

— Reply to this email directly or view it on GitHub https://github.com/ryanb/cancan/issues/835#issuecomment-54708242.

jirikolarik avatar Sep 06 '14 16:09 jirikolarik

I spent an hour trying to figure out this problem I just switched to CanCanCan and it worked without having to modify anything

Great work

CarlosRoque avatar Nov 05 '14 16:11 CarlosRoque

Thank you @AntonTrapp :+1:

mitogh avatar Nov 12 '14 06:11 mitogh

+1

xacaxulu avatar Jan 10 '15 06:01 xacaxulu

Merci @ombr , ça marche bien~

module CanCan
  class ControllerResource
    alias_method :original_resource_params_by_namespaced, :resource_params_by_namespaced_name

    def resource_params_by_namespaced_name
      if (@controller && @params && @params[:action] == "create")
        strong_params =  @controller.method("#{namespaced_name.name.downcase}_params".to_sym)
        params = strong_params.call if defined? strong_params
      end
      params ||=  original_resource_params_by_namespaced
    end
  end
end

xacaxulu avatar Jan 10 '15 06:01 xacaxulu

De rien !

It works, but on my projects I moved to cancancan.

ombr avatar Jan 12 '15 10:01 ombr

@AntonTrapp,Thank you for help!

MaksimPW avatar Oct 22 '15 11:10 MaksimPW

Thanks, @AntonTrapp, your solution fixed my issue. 👍

PedroPauloML avatar May 04 '17 01:05 PedroPauloML

i had AdjustmentTask model and adj_task_params in its controller it starts to work after renaming params method like model name: tcfto_adjustment_params

Thaisia avatar Feb 10 '21 12:02 Thaisia