Support rails 4 protected attributes #958

wants to merge 5 commits into


None yet
2 participants

ghost commented Nov 11, 2013

No description provided.

So to double check what I'm reading, we would pass in an :attributes option (to, say, load_and_authorize_resource) and it would use that named method as the strong parameters validator?


ghost commented Nov 12, 2013

Yes, I probably should have explained my intent in the original comments.

In the initializer, if the option :attributes exists it will be used as the name of the method that sanitizes the params. If the :attributes option does not exist the initializer will guess the name of the sanitizer method. The default pattern for the sanitize method name is "#{model_name}_options", but it is not required to be that name.

Later in the resource_params_by_namespaced_name method if the sanitize method name exists the controller is checked to see if it has the method. Technically the method name should exist and only the responds to check is needed, but I thought it was safer to double check the existance of the method name. If the controller responds to the method then it is used, if the controller doesn't respond to the method the original behavior is used.

This code is a variation of the code done by my coworker, blischalk, in pull request #911 and a pull request made by theodorton to Brett's repository.

Well I'm not involved with the CanCan project, but I tried your branch out locally and noticed a few issues.

Firstly I had problems because I keep my *_params methods private (like this example). I'm not sure what the repercussions are for these being public, but even if it's benign there would need to be documentation highlighting this.

Once I'd moved this, I went to the new method (my model is pretty much a standard REST resource) and received the following stacktrace:

ERROR ActionController::ParameterMissing: param not found: device
    /home/toby/.rvm/gems/ruby-2.0.0-p247@link/gems/actionpack-4.0.1/lib/action_controller/metal/strong_parameters.rb:173:in `require'
    /home/toby/Documents/Sublime/Telemetry/Arachnia/app/controllers/arachnia/devices_controller.rb:129:in `device_params'
    /home/toby/.rvm/gems/ruby-2.0.0-p247@link/bundler/gems/cancan-dd62d9086087/lib/cancan/controller_resource.rb:228:in `resource_params_by_namespaced_name'
    /home/toby/.rvm/gems/ruby-2.0.0-p247@link/bundler/gems/cancan-dd62d9086087/lib/cancan/controller_resource.rb:223:in `resource_params'
    /home/toby/.rvm/gems/ruby-2.0.0-p247@link/bundler/gems/cancan-dd62d9086087/lib/cancan/controller_resource.rb:86:in `build_resource'
    /home/toby/.rvm/gems/ruby-2.0.0-p247@link/bundler/gems/cancan-dd62d9086087/lib/cancan/controller_resource.rb:67:in `load_resource_instance'
    /home/toby/.rvm/gems/ruby-2.0.0-p247@link/bundler/gems/cancan-dd62d9086087/lib/cancan/controller_resource.rb:33:in `load_resource'
    /home/toby/.rvm/gems/ruby-2.0.0-p247@link/bundler/gems/cancan-dd62d9086087/lib/cancan/controller_resource.rb:26:in `load_and_authorize_resource'
    /home/toby/.rvm/gems/ruby-2.0.0-p247@link/bundler/gems/cancan-dd62d9086087/lib/cancan/controller_resource.rb:10:in `block in add_before_filter'
    /home/toby/.rvm/gems/ruby-2.0.0-p247@link/gems/activesupport-4.0.1/lib/active_support/callbacks.rb:467:in `_run__221214971__process_action__callbacks'
    /home/toby/.rvm/gems/ruby-2.0.0-p247@link/gems/activesupport-4.0.1/lib/active_support/callbacks.rb:80:in `run_callbacks'

I presume this is because there has not actually been any resource "loaded" on this page. That, or I could be doing something completely wrong: more information available on request. I double checked the Gemfile.lock and there's no protected_attributes gem or anything like that.

I hope this helps to refine this branch/pull request: I intend to use it on my "strong parameters migration" branch until it's merged and ready for primetime.

I think you should be able to respond_to?(@params_method, true) here to check for private methods, though it's a fairly badly documented parameter in my experience

However despite this it's now working with private methods. My site's rspecs are passing now that I've added the :attributes in with no known side-effects,

xhoy commented Jul 1, 2014

Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013.
Since only Ryan himself has commit permissions, the CanCan project is on a standstill.

CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.

If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.

We hope to see you on the other side!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment