0

I'm currently running the following:

Rails 4.0.2
Devise 3.2.2

From the Devise documentation it states that Strong Parameters will block all but the following attributes by default - email, password, password_confirmation, current_password.

I edited the new.html.erb in my registration Devise Views to contain three additional attributes - first_name, last_name, profile_name as shown below.

<h2>Sign up</h2>

<%= form_for(resource, :as => resource_name, :url => registration_path(resource_name)) do |f| %>
  <%= devise_error_messages! %>
  <div><%= f.label :first_name %><br />
    <%= f.text_field :first_name %></div>

  <div><%= f.label :last_name %><br />
    <%= f.text_field :last_name %></div>

  <div><%= f.label :profile_name %><br />
    <%= f.text_field :profile_name %></div>

  <div><%= f.label :email %><br />
  <%= f.email_field :email, :autofocus => true %></div>

  <div><%= f.label :password %><br />
  <%= f.password_field :password %></div>

  <div><%= f.label :password_confirmation %><br />
  <%= f.password_field :password_confirmation %></div>

  <div><%= f.submit "Sign up" %></div>
<% end %>

<%= render "devise/shared/links" %>

For some reason a user can still register by inputting information in all the fields, even the new fields that I added. Is there a reason my attributes are all being allowed by default?

I'm new to programming and I'm following my first rails tutorial so I'm sure I'm making a completely obvious mistake but I can't figure it out and haven't been able to find the same problem by searching online.

Thank you

sapmub
  • 5
  • 2
  • check the record does it hold value for the column you have added. i think they will having nil value as they can not bypass the strong parameter – Nitin Jain Jan 17 '14 at 16:21
  • Yes it held the value of 'nil' and wasn't being added to the database. Thank you! – sapmub Jan 17 '14 at 16:41

3 Answers3

1

Gemfile

gem "strong_parameters"

config/application.rb

config.active_record.whitelist_attributes = false

aplication_controller

before_filter :configure_permitted_parameters, if: :devise_controller?


  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) << :first_name

  end
user3271968
  • 11
  • 1
0

With strong parameters there is no implicit validation on the client side as to whether or not the fields are allowed, but these fields will not actually be saved to the database until you explicitly permit them in your controller. You should be able to verify that the controller is blocking those fields by watching your server console during the create/update action.

Dhaulagiri
  • 3,281
  • 24
  • 26
  • This is what was happening. I saw from the records that the fields I added held a value of 'nil'. I was expecting some sort of error on the client side. – sapmub Jan 17 '14 at 16:40
0

The user could enter, but it's not permitted for mass assignment. The following are from Devise README:

In case you want to permit additional parameters (the lazy way™) you can do with a simple before filter in your ApplicationController:

class ApplicationController < ActionController::Base
  before_filter :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) << :username
  end
end

Read more about this on Devise's README, strong parameter section.

Juanito Fatas
  • 9,419
  • 9
  • 46
  • 70
  • I added the code below but it's not working for me. I get the error "Email can't be blank" and "Password can't be blank" even though they have both been entered. Not sure if I need to open a new question for this... `class ApplicationController < ActionController::Base before_filter :configure_permitted_parameters, if: :devise_controller? protected def configure_permitted_parameters devise_parameter_sanitizer.for(:sign_up) << :first_name devise_parameter_sanitizer.for(:sign_up) << :last_name devise_parameter_sanitizer.for(:sign_up) << :profile_name end end` – sapmub Jan 17 '14 at 17:19
  • This is just an example. You need to find out which attribute you want to whitelist. – Juanito Fatas Jan 19 '14 at 06:00