-1

I have a model for which I am permitting all updates for an admin user.

This is the relevant code in the controller and model :

      private:
      class ModelsController < ApplicationController
        def model_params
          params.require(:model).permit! if current_user.admin?
        end

        def update
           @model = Model.find(params[:id])

          respond_to do |format|
           if @model.update_attributes(model_params)
             format.html { redirect_to @model, notice: 'model was successfully updated.' }
             format.json { head :no_content }
           else
             format.html { render action: "edit",flash:          
             {error:@model.errors.full_messages.join(', ')} }
             format.json { render json: @model.errors, status: :unprocessable_entity }
           end
         end
        end
      end

      class Model < ActiveRecord::Base
        include ActiveModel::ForbiddenAttributesProtection
      end

However, when I update attributes from the active admin edit page, I still get the ActiveModel::ForbiddenAttributesError

Relevant Gems: Rails4, Ruby2.0, activeadmin

codeObserver
  • 6,521
  • 16
  • 76
  • 121
  • I don't understand how you can conclude that the single `job_params` method definition is the only "relevant code" from your controller. The _use_ of this method in the case of updating attributes is equally important. – Peter Alfvin Dec 27 '13 at 22:23
  • Are you sure ActiveAdmin is going through ModelsController? – mu is too short Dec 27 '13 at 22:40
  • Thanks @PeterAlfvin . Added code for update method – codeObserver Dec 27 '13 at 22:42
  • Are you 100% sure user is admin? I think it would be better to add before_filter and check that user is admin in there. p.s. what is "private:" for at the top? – TheRusskiy Dec 27 '13 at 22:50
  • @muistooshort Thanks for your comment. Turns out I have to permit params independently for active admin like this. If you submit an answer I can accept it. Like this: controller do def permitted_params params.permit! end end – codeObserver Dec 27 '13 at 23:04
  • I don't know anything about ActiveAdmin, might make more sense to answer your own question (which is allowed). – mu is too short Dec 27 '13 at 23:14

2 Answers2

1

I had the same problem. You can also specify which fields is permitted.

ActiveAdmin.register Post do
  permit_params :title, :content
end
Audee Velasco
  • 106
  • 4
0

Turns out I have to permit params independently for active admin like this

ActiveAdmin.register Model do
  controller do
    def permitted_params
      params.permit!
    end
  end
end
codeObserver
  • 6,521
  • 16
  • 76
  • 121