Angular $resource query gets a 401 on PUT when no CSRF is defined and a 404 on GET when CSRF is defined :/

Question

I'm currently stuck on an update list problem. I use Rails and AngularJS.

On JS side, I plugged jQueryUI for sortable feature with Angular $resource feature to read, update (and in second step, delete and create) a text block that is ordered.

eg.

"1 - lorem ipsum"
"2 - second position lorem ipsum"
"3 - the third position"

in AngularJS controller I have this :

 function DndCtrl($scope, $resource) {
   var Feed = $resource('/users/'+ userId +'/test/:id', {id: '@id'}, {'update': {method:"PUT", isArray:true}});

   $scope.tests = Feed.query(function() {
    $scope.updateSortable = {
    // jQueryUI methods
     update: function(e, ui) {
     // trigger after user ends dropping item
      for (var i=0; i<$scope.tests.length; i++) {
        var t = $scope.tests[i];
        t.position = i+1;
        t.$update();
      }
     },
     placeholder: "t-hightlight",
     axis: 'y'
    };
   });

 } // end DnD

OUTPUT after sorted element :

  PUT http://demo.mytest.dev/users/1/test/1 401 (Unauthorized)

and in the server log :

  warning can't verify csrf

So I found on this topic : Rails CSRF Protection + Angular.js: protect_from_forgery makes me to log out on POST the answer from HuangYuHei and tried it.

The console OUTPUT then :

  GET http://demo.mytest.dev/users/1/test 404 (Not Found)

And on server log :

  Test Load (1.9ms)  SELECT "tests".* FROM "tests" WHERE "tests"."id" = 2 LIMIT 1
  Unpermitted parameters: id

I tested directly the request in the rails console and it returned well the entry.

What I'm I doing wrong ? Did I miss something on Rails config part ? or on Angular part ?

John Ledbetter · Accepted Answer · 2013-11-25T18:30:55.187

1

You're running into a strong_params issue in your Rails controller action.

strong_params is new in Rails 4 and takes the places of the attr_accessible model attributes from prior versions. You now specify in the controller what fields from params are allowed to be used in your queries.

It should look something like this:

respond_with Test.find(params.permit(:id))
# or 
render json: Test.find(params.permit(:id))

edited Nov 25 '13 at 18:30

answered Nov 25 '13 at 18:24

John Ledbetter

13,557
1
61
80

oh thanks I feel we're close to the solution !! I tried both your solutions + added an attr_accessible in the model. Error output changes in 500 status with an "Argument Error (Unknown : id)" Any idea on what I should dig deeper ? – user1713964 Nov 25 '13 at 20:00
After some investigations I have this beahviour : angular does the $update, Rails is saving in DB well. All is fine BUT, on FrontEnd, the console returns an error 500. How can I avoid this to display, as the update is working well ? – user1713964 Dec 06 '13 at 12:04
it was the response given by rails generating this error. On rails, on update, we just need to do the save() and render the page. :) THanks for your pointing out – user1713964 Dec 27 '13 at 18:06

Angular $resource query gets a 401 on PUT when no CSRF is defined and a 404 on GET when CSRF is defined :/

1 Answers1