2

我使用这个 RailsCast 来创建购物车系统的一部分,http: //railscasts.com/episodes/142-paypal-notifications

那里有一段代码被 PayPal 调用以进行通知。

def create
  PaymentNotification.create!(:params => params, :cart_id => params[:invoice], :status => params[:payment_status], :transaction_id => params[:txn_id])
  render :nothing => true
end

我在 Heroku 上试了一下,没有警告也没有错误。PaymentNotification 对象已在数据库中成功创建 - 但除了 id 之外,一切都为零!我打开heroku控制台并尝试:

irb(main):002:0> PaymentNotification.create!(:cart_id => "2", :status => "Complete", :transaction_id => "XYZXYZXYZXYZXYZ")
< => "2", :status => "Complete", :transaction_id => "XYZXYZXYZXYZXYZ")

这给了我这个,

WARNING: Can't mass-assign protected attributes: cart_id, status, transaction_id

为什么 Heroku 日志中没有出现此警告?为什么它仍然成功创建(是因为它只是一个警告,而不是一个错误?)

我可以只使用 attr_accessible 来处理这些事情吗?无论如何都必须验证通知(https://www.paypal.com/cgi-bin/webscr?cmd=p/acc/ipn-info-outside

4

1 回答 1

1

For app security, you must add attr_accessible to your attributes.

On rails 4 is added this gem https://github.com/rails/strong_parameters. Also

I recomend to you use adaptive payments. You can take a look to this post:

Paypal Adaptive Payment for Ruby

于 2013-01-23T22:05:28.137 回答