相对的Rails 4 Strong Parameters允许所有属性
[英]Rails 4 Strong Parameters opposite permit all attributes
问题描述
I am using rails 4 with strong parameters and trying to figure out how to set the strong parameters to not allow any attribute with the parameter. 
我正在使用带有强参数的rails 4,并试图弄清楚如何设置强参数以不允许带有该参数的任何属性。
I read this Rails 4 Strong parameters : permit all attributes? 我读了这篇Rails 4强参数:允许所有属性吗? And would like to do the opposite of that. 并想做相反的事情。
params.require(:user).permit!
would permit all attributes, how could I do the opposite? 将允许所有属性,我该怎么做相反呢?
UPDATE THIS IS MY FULL CODE: 更新为我的完整代码:
in app/controllers/application_controller.rb 在app / controllers / application_controller.rb中
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
before_filter :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:username, :email, :password, :password_confirmation, :remember_me) }
devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:signin, :password, :remember_me) }
devise_parameter_sanitizer.for(:account_update) {|u| u.permit(:username, :email, :password, :password_confirmation, :current_password)}
devise_parameter_sanitizer.for(:sign_in) { |a| a.permit(:signin, :password, :remember_me) }
devise_parameter_sanitizer.for(:account_update) {|a| a.permit(:username, :email, :password, :password_confirmation, :current_password)}
end
end
in app/models/admin.rb 在app / models / admin.rb中
class Admin < ActiveRecord::Base
# Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable and :omniauthable, :registerable
devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable
attr_accessor :signin
def self.find_first_by_auth_conditions(warden_conditions)
conditions = warden_conditions.dup
if login = conditions.delete(:signin)
where(conditions).where(["username = :value OR lower(email) = lower(:value)", { :value => login }]).first
else
where(conditions).first
end
end
validates :username, presence: true, length: {maximum: 255}, uniqueness: { case_sensitive: false }, format: { with: /\A[a-zA-Z0-9]*\z/, message: "may only contain letters and numbers." }
end
The users.rb model is the same as the admin.rb model. users.rb模型与admin.rb模型相同。 This leads to two different sign up/sign in links- 1 for each model. 这导致两个不同的注册/登录链接-每个模型1。 Also I need to leave the :registerable module so that I can override the default devise's registerable module. 另外,我需要离开:registerable模块,以便覆盖默认装置的可注册模块。 However I modified the views to not show the admin page when typed in a browser. 但是,我修改了视图以在浏览器中键入时不显示管理页面。 --- I only need to block it via command line now. ---我现在只需要通过命令行将其阻止。
I also have posted a previous question similar to this: 我也发布了一个类似的先前问题:
Rails 4 Devise Strong Parameters Admin Model Rails 4设计强参数管理模型
2 个解决方案
解决方案1
0 2013-12-11 04:10:32
If you're not using any user-inputted parameters (like for a GET), you don't need to use params at all. 如果您不使用任何用户输入的参数(例如GET的参数),则根本不需要使用params 。 Your controller will just work, and there won't be a security issue. 您的控制器将正常工作,并且不会出现安全问题。
解决方案2
0 2013-12-11 05:20:43
The default behavior is the opposite of .permit. 默认行为与.permit相反。 If you don't mention an attribute in your params arguments, it is like denying the user access to do anything with those attributes. 如果您在params参数中未提及属性,则就像拒绝用户使用这些属性执行任何操作一样。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.