Unpermitted parameters for Dynamic Forms in Rails 4

Question

I'm new to Rails and built something based on this

http://railscasts.com/episodes/403-dynamic-forms

but I have a problem with storing data in the additional fields... I have a ProductType object that has many ProductField objects. The ProductField object also belongs to a ProductType and Product object belongs to a ProductType.

So,new dynamic fields can easily be added via the constructor ProductType, but when I try to set data in this fields via Product controller nothing happens.

I am sure that problem is related to use strong parameters, but fix described here and here did't help.

product.rb

class Product < ActiveRecord::Base
    belongs_to :product_type
    serialize :properties, Hash
end

product_type.rb

class ProductType < ActiveRecord::Base
    has_many :fields, class_name: "ProductField"
    accepts_nested_attributes_for :fields, allow_destroy: true
end

product_field.rb

class ProductField < ActiveRecord::Base
    belongs_to :product_type
end

products_controller.rb

class ProductsController < ApplicationController
    def new
    @product = Product.new(product_type_id: params[:product_type_id])
    end
    def product_params
    params.require(:product).permit(:name, :price, :product_type_id, {:properties => []})
    end

product_type_controller.rb

class ProductTypesController < ApplicationController
    def product_type_params
    params.require(:product_type).permit(:name, fields_attributes: [:id, :name, :field_type, :required, :product_type_id])
    end

In console log: Unpermitted parameters: properties

Started PATCH "/products/4" for 127.0.0.1 at 2013-10-04 22:54:59 +0400
Processing by ProductsController#update as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"my3ra60OUXexmmguk2eqRetizx3tWPMq04Z2PnODJMQ=", "product"=>{"product_type_id"=>"1", "name"=>"Product1", "properties"=>{"gjfghjf"=>"123", "123"=>[""]}, "price"=>"10"}, "commit"=>"Update Product", "id"=>"4"}
Product Load (0.3ms)  SELECT "products".* FROM "products" WHERE "products"."id" = ? LIMIT 1  [["id", "4"]]
Unpermitted parameters: properties

P.S: maybe someone faced a similar problem when watching a podcast?

Can you post your form code? I see you are getting this: `"properties"=>{"gjfghjf"=>"123", "123"=>[""]}` in your return parameters. Properties is coming in as a hash of two items, one of which is an array. In your product_params it is expecting an array of permitted scalar values based on how it's written. Is this Railscast originally done using Rails 4? — Beartech, Oct 05 '13 at 03:45
If you want to test that it's a problem with how the params are constructed in either the form code or the `permit` statement you can do this: `params.require(:product).permit!`. It will whitelist everything. Good for testing but very bad for security so you'll want to sort it out at some point. — Beartech, Oct 05 '13 at 04:06
Yeap, params.require(:product).permit! really working, but it's very bad for security you are quite right.. — AntonyZ, Oct 05 '13 at 08:23

score 12 · Accepted Answer · answered Oct 05 '13 at 05:15

If you want to return a nested hash as a parameter you have to name the keys in the array in permit.

class ProductsController < ApplicationController
def new
@product = Product.new(product_type_id: params[:product_type_id])
end
def product_params
params.require(:product).permit(:name, :price, :product_type_id, {:properties => [:foo, :bar, :id]})
end

If you are generating the keys dynamically and can't code them into the permit statement then you need to use this style:

def product_params
  params.require(:product).permit(:name, :price, :product_type_id).tap do |whitelisted|
    whitelisted[:properties] = params[:product][:properties]
  end
end

It's not the most friendly code for a new user, I just finished the 3 course rails certificate at UW and they never even covered .tap.

This is not my work, I'm still just understanding the deeper parts of .permit like this. This is the blog entry I used: Strong Parameters by Example

So did the code above work without any modification? If any mods were needed, leave a comment here with it and I'll change it so the answer is more accurate. If it worked perfect out of the box, well dang! A bit of luck on my part as I was just extrapolating from what I know about Strong Params and what I've read. — Beartech, Oct 06 '13 at 00:52

Unpermitted parameters for Dynamic Forms in Rails 4

1 Answers1

Linked