Unpermitted parameters. Devise + Oauth. Rails 4

2
votes

Rails 4, Devise 3.0.3, Oauth-facebook

I've added two additional parameters in my User model - :name, :uid and trying to save it in my users table from my form (route /users/sign_up). But as result i receive record in table, which contains only default values for fields :name and :uid instead of values, which i put in my text_fields.

In console i've got the following message:

Unpermitted parameters: name, uid
WARNING: Can't mass-assign protected attributes for User: password_confirmation
app/models/user.rb:31:in `new_with_session'

Here is my user.rb model. I've tried to remove these fiels from attr_accessible but it gives no result.

class User < ActiveRecord::Base
  attr_accessible :oauth_expires_at, :oauth_token, :oauth_secret, :email, :password, :uid, :provider, :name

  default_scope -> {order('created_at ASC')}

  devise :database_authenticatable, :registerable,
     :recoverable, :rememberable, :trackable, :validatable, 
     :omniauthable, :omniauth_providers => [:facebook]

  has_many :microposts, :primary_key => "uid", dependent: :destroy

  # validates :uid, presence: true

  def self.find_for_facebook_oauth(auth, signed_in_resource=nil)
  user = User.where(:provider => auth.provider, :uid => auth.uid).first
  unless user
    user = User.create(name:auth.extra.raw_info.name,
                     provider:auth.provider,
                     uid:auth.uid,
                     email:auth.info.email,
                     password:Devise.friendly_token[0,20]
                     )
  end
  user
  end

  def self.new_with_session(params, session)
    super.tap do |user|
      if data = session["devise.facebook_data"] && session["devise.facebook_data"]["extra"]["user_hash"]
    user.email = data["email"]
      end
    end
  end

end

Here is my users/omniauth_callbacks_controller.rb (without facebook method). I've tried to apply different advises related to before_filter, but it still does not work 

 class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController

 before_filter :configure_permitted_parameters

 def create
    super
 end

 private

 def configure_permitted_parameters
   params.require(:user).permit(:name, :uid, :provider)
 end

 end

Here is my view-form ()

Sign up

    <%= link_to "Sign in with Facebook", user_omniauth_authorize_path(:facebook) %>

    <%= form_for(resource, :as => resource_name, :url => registration_path(resource_name)) do |f| %>
      <%= devise_error_messages! %>

      <div><%= f.label :name %> <br /> 
      <%= f.text_field :name, :autofocus => true %></div>

      <div><%= f.label :email %><br />
      <%= f.email_field :email %></div>

      <div><%= f.label :password %><br />
      <%= f.password_field :password %></div>

      <div><%= f.label :password_confirmation %><br />
      <%= f.password_field :password_confirmation %></div>

      <div><%= f.label :uid %><br />
      <%= f.text_field :uid %></div>


      <div><%= f.submit "Sign up" %></div>
    <% end %>

    <%= render "devise/shared/links" %>

Could you help me, i don't understand what am i doing wrong. How to configure whitelist for my strong params to receive proper values (which user put in view-form) ?

All my source code is available here: https://github.com/DavydenkovM/d23m

Thanks in advance!

UPDATE

I've remove attr_accessible fields and update my controller. But the problem with unpermitted params name and uid at the same point. Now my controller looks like:

    class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController

      before_filter :configure_permitted_parameters, if: :devise_controller?

      def facebook

        @user = User.find_for_facebook_oauth(request.env["omniauth.auth"], current_user)

        if @user.persisted?
          sign_in_and_redirect @user, :event => :authentication #this will throw if @user is not activated
          flash[:notice] = I18n.t "devise.omniauth_callbacks.success", :kind => "Facebook"
          set_flash_message(:notice, :success, :kind => "Facebook") # if is_navigational_format?
        else
          redirect_to root_url if user_signed_in?
          session["devise.facebook_data"] = request.env["omniauth.auth"]
          redirect_to new_user_registration_url
        end
      end

      def create
        super
      end

      #def update
      #  person = current_account.user.find(params[:id])
      #  person.update_attributes!(person_params)s
      #  redirect_to person
      #end

      private

      def configure_permitted_parameters
        devise_parameter_sanitizer.for(:users) do |u|
          u.permit(:name, :email, :password, :password_confirmation, :uid, :provider)
        end
      end
    end

UPDATE 2. I'm not clearly understand what is resource in devise_parameter_sanitizer.for(?) and where i need to assign this ?

2
deviseruby-on-rails-4omniauth
possible duplicate of Unpermitted Parameters adding new fields to Devise in rails 4.0Pedro Nascimento
Please check the above question.Pedro Nascimento
Thank you, i've checked and still has unpermitted params. I'm not clearly understand what is resource in devise_parameter_sanitizer.for(?) and where i need to assign this ?user2742804

2 Answers

1
votes

Please try the following.

def self.find_for_facebook_oauth(auth, signed_in_resource=nil)
  user = User.where(:provider => auth.provider, :uid => auth.uid).first
  unless user
    user = User.create(name:auth.extra.raw_info.name,
                     provider:auth.provider,
                     uid:auth.uid,
                     email:auth.info.email,
                     password:Devise.friendly_token[0,20]
                     ).permit!(:name, :uid, :provider)
  end
  user
end

Or

def facebook

 @user = User.find_for_facebook_oauth(request.env["omniauth.auth"].permit!(:name, :uid, :provider), current_user)

   if @user.persisted?
   sign_in_and_redirect @user, :event => :authentication #this will throw if @user is not activated
    flash[:notice] = I18n.t "devise.omniauth_callbacks.success", :kind => "Facebook"
    set_flash_message(:notice, :success, :kind => "Facebook") # if is_navigational_format?
  else
    redirect_to root_url if user_signed_in?
    session["devise.facebook_data"] = request.env["omniauth.auth"]
    redirect_to new_user_registration_url
  end
end

Then try this

def configure_permitted_parameters
   devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:name, :email, :password, :password_confirmation, :uid, :provider) }
end
0
votes

attr_accessible is not available in Rails 4 because Strong Parameters is now used by default. It appears you are already using strong parameters, so you should simply remove the line from your user model with attr_accessible in it.