Money-rails field is being filtered out by strong parameters in Rails 4 + Mongoid

1
votes

I'm using Rails 4+ MongoDB (mongoId) + money-rails gem and have these 2 models:

class MyModel
  field :date, type: Date
  field :amount, type: Money   
  ..............
end

class OtherModel < MyModel
  ........
end

On the controller the permit params functions is as follows:

def my_model_params
  base=[:field1, field2, :field3, :amount]
  params.permit(:field11, :field22, :field33, :field44, other_model: base)

end

Now ,the amount field is Money type, but before that it was a float field. With float, the create method worked without problems, but now that the :amount field is of type Money, I'm getting on the logfile the message Unpermitted parameter: amount. This happens when I want to create a new OtherModel object:

OtherModel.create(field1: "aaa", field2: "bbb", field3: "ccc", :amount=>Money.new(12345))

I've tried several ways of defining the my_model_params method so that it accepts the amount field, including all the options related to this I found at StackOverflow, but I keep getting the same error. The only way I found of making this work is by using permit!

def my_model_params
  base=[:field1, field2, :field3, :amount]
  params.permit!

end

Which works because it allows all fields, but it is obviously not a good option for mass assignment protection.

On the hash of params, the amount field comes as follows, due to the money-rails gem:

"amount"=>#<Money fractional:12345 currency:USD>

Has someone found a similar issue or knows how to declare the amount field?

Thanks! Marco

1
ruby-on-railsmongodbmongoidstrong-parametersmoney-rails
Are you saying that amount is a Money instance before my_model_params sees anything? And everything worked fine when amount was a number field?mu is too short
Correct, amount field was float before, and my_model_params was letting it pass ok. When I changed the amount field to Money type, my_model_params started to reject it and report it as unpermitted.Marco
And amount is a Money instance when my_model_params is executed rather than a String?mu is too short
Yes, the information coming from params for that field is as follows: "amount"=>#<Money fractional:12345 currency:USD>Marco
Exactly, strong parameters accepts scalar values so I tried declaring the amount field as a hash and other methods but none of them worked. And there is little to none (or I couldn't find) documentation about strong parameters and money-rails working with Mongo fields, unfortunately.Marco

1 Answers

1
votes

Well, I was able to find a solution for this, based on this link . I'm not sure why the amount is filtered out if you add it as described above, but in order to make it work, I used the following solution:

def my_model_params
   base=[:field1, field2, :field3]
   params.permit(:field11, :field22, :field33, :field44, other_model: base).tap do |whitelisted|
                  whitelisted[:other_model][:amount] = params[:other_model][:amount]
              end                
end

This will still report the Unpermitted parameter: amount message on the logs, but will allow you to mass assign the amount field as initially intended.

Hope it helps someone in the future.

Any feedback about why the amount field is being filtered in the first place, will be really appreciated.

Cheers!