0

I 'm using authlogic for authentication and using this tutorial. I did refer to rubyDocs also. If I understand it correctly that attr_protected method ensures list of attributes will not be accessible for mass-assignment. And I have my model attributes as protected. I also tried changing the whitelist flag in config/application.rb to false..which didnt make any difference.

I think the problem might be because of no attribute called password & password_confirmation in user model. This is what the tutorial says

We changed the field name from :crypted_password to :password. Authlogic will map the :password field to :crypted_password after hashing it. We also changed the field type from f.text_field to f.password_field, this will create your standard password input field instead of a plain text input field. We have also added a :password_confirmation field. All of the logic to support these fields is built into authlogic.

Is this still true? Any suggestions on how to fix this issue?

Rails: 3.2.12

Ruby: 1..9.3

ActiveModel::MassAssignmentSecurity::Error in UsersController#create

Can't mass-assign protected attributes: password, password_confirmation

{"utf8"=>"✓",
 "authenticity_token"=>"WUw09PvSlIxLUBFFsi1hiK6v0Y3nn7wqkjH3seCkU34=",
 "user"=>{"username"=>"test",
 "email"=>"test",
 "password"=>"[FILTERED]",
 "password_confirmation"=>"[FILTERED]"},
 "commit"=>"Create User"}

Following is my model & controller

MODEL

class User < ActiveRecord::Base
  attr_accessible :crypted_password, :email, :password_salt, :persistence_token, :username
end

CONTROLLER

def create
    @user = User.new(params[:user])

    respond_to do |format|
      if @user.save
        format.html { redirect_to @user, notice: 'User was successfully created.' }
        format.json { render json: @user, status: :created, location: @user }
      else
        format.html { render action: "new" }
        format.json { render json: @user.errors, status: :unprocessable_entity }
      end
    end
  end

FORM.html

div class="field">
    <%= f.label :username %><br />
    <%= f.text_field :username %>
  </div>
  <div class="field">
    <%= f.label :email %><br />
    <%= f.text_field :email %>
  </div>
  <div class="field">
    <%= f.label :password %><br />
    <%= f.password_field :password %>
  </div>
  <div class="field">
      <%= f.label :password_confirmation %><br />
      <%= f.password_field :password_confirmation %>
    </div>

Thanks

4

1 回答 1

1

正如您所说,您的属性似乎受到保护,因此无法批量分配。通过添加到attr_accessible列表使它们可以访问

class User < ActiveRecord::Base
  attr_accessible :crypted_password, :email, :password_salt, :persistence_token, :username, :password, :password_confirmation
end

注意:您可能还想从该列表中删除敏感数据,例如:crypted_password:password_salt

class User < ActiveRecord::Base
  attr_accessible :email, :persistence_token, :username, :password, :password_confirmation
end
于 2013-03-17T17:37:55.247 回答