Rails 4.1.5 omniauth strong parameters

2019-01-17 01:35发布

站内问答 / 移动开发
1556 3 6

After upgrading Rails 4.1.4 to 4.1.5 i get errors with my facebook omniauth session everything was working fine since then. When i create a User Session i get an ActiveModel::ForbiddenAttributesError

Route:

  match 'auth/:provider/callback', to: 'sessions#create', as: 'signin', via: :get

Session#create controller:

  def create
        user = User.from_omniauth(env["omniauth.auth"])
        session[:user_id] = user.id 
        session[:user_name] = user.name

      redirect_to root_path
  end

and a user model like this:

  def self.from_omniauth(auth)
    where(auth.slice(:provider, :uid)).first_or_create.tap do |user|
      user.provider ||= auth.provider 
      user.uid = auth.uid
      user.name = auth.info.name
      user.save
    end
  end

I can bypass the ActiveModel error by adding a permit! method in my User Model like that:

where(auth.slice(:provider, :uid).permit!).first_or_create.tap do |user|

But it override the first user from the database... The session[:user_id] seems to always be the first User from the database.

I don't know if it's a strong parameters problem, an Omniauth problem or both?

3条回答
时光不老,我们不散
2楼-- · 2019-01-17 01:35

I created a detailed writeup of what is happening here:

Rails 4.1.5 Security Fix Breaks Model.where(attributes)

Snippet:

YIKES! Rails 4.1.5 requires you to use safe params for any param to where that is_a? Hash For example, if you were doing a Model.where using slice to take some keys out of some object that derives from Hash, then your code will throw this error when you migrate from Rails 4.1.4 to Rails 4.1.5:

An ActiveModel::ForbiddenAttributesError occurred in omniauth_callbacks#facebook: ActiveModel::ForbiddenAttributesError

查看更多
0人赞 添加讨论(0) 举报
Explosion°爆炸
3楼-- · 2019-01-17 01:46

Replace you current finder:

def self.from_omniauth(auth)
  where(provider: auth.provider, uid: auth.uid).first_or_create do |user|
    user.provider = auth.provider 
    user.uid      = auth.uid
    user.name     = auth.info.name
    user.save
  end
end
查看更多
0人赞 添加讨论(0) 举报
SAY GOODBYE
4楼-- · 2019-01-17 02:00

My solution is like this.

# extend the object and add method
auth_hash_extended = auth.slice(:provider, :uid)
def auth_hash_extended.permitted?()
  true
end

where( auth_hash_extended ).first_or_create do |user|
    user.provider = auth.provider
    #blablabla
end

If you have difficulty in separating hash into key-value sets, you may use this way.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)