Nested attributes unpermitted parameters

Question

I have a Bill object  which has many Due objects  The Due object also belongs to a Person  I want a form that can create the Bill and its children Dues all in one page  I am trying to create a form using nested attributes  similar to ones in this Railscast   Relevant code is listed below   due rb  class Due  lt  ActiveRecord  Base     belongs to  person     belongs to  bill end   bill rb  class Bill  lt  ActiveRecord  Base     has many  dues   dependent   gt   destroy      accepts nested attributes for  dues   allow destroy   gt  true end   bills controller rb      GET  bills new   def new        bill   Bill new       3 times    bill dues build     end   bills  form html erb     lt    form for  bill  do  f    gt       lt div class  field  gt           lt    f label  company   gt  lt br   gt           lt    f text field  company   gt       lt  div gt       lt div class  field  gt           lt    f label  month   gt  lt br   gt           lt    f text field  month   gt       lt  div gt       lt div class  field  gt           lt    f label  year   gt  lt br   gt           lt    f number field  year   gt       lt  div gt       lt div class  actions  gt           lt    f submit   gt       lt  div gt       lt    f fields for  dues do  builder    gt           lt    render  due fields    f   gt  builder   gt       lt   end   gt     lt   end   gt    bills  due fields html erb   lt div gt       lt    f label  amount   Amount    gt               lt    f text field  amount   gt       lt br gt       lt    f label  person id   Renter    gt       lt    f text field  person id   gt   lt  div gt    UPDATE to bills controller rb This works   def bill params    params    require  bill     permit  company   month   year  dues attributes    amount   person id    end   The proper fields are rendered on the page  albeit without a dropdown for Person yet  and submit is successful  However  none of the children dues are saved to the database  and an error is thrown in the server log    Unpermitted parameters  dues attributes   Just before the error  the log displays this   Started POST   bills  for 127 0 0 1 at 2013-04-10 00 16 37 -0700 Processing by BillsController create as HTML lt br gt  Parameters    utf8   gt        authenticity token   gt  ipxBOLOjx68fwvfmsMG3FecV q hPqUHsluBCPN2BeU      bill   gt   company   gt  Comcast    month   gt  April      year   gt  2013    dues attributes   gt    0   gt   amount   gt  30    person id   gt  1      1   gt   amount   gt  30    person id   gt  2      2   gt   amount   gt  30    person id   gt  3       commit   gt  Create Bill     Has there been some change in Rails 4

User · Answer

Today I came across this same issue  whilst working on rails 4  I was able to get it working by structuring my fields for as    lt    f select  tag ids  Tag all collect   t   t name  t id         multiple   gt  true   gt    Then in my controller I have my strong params as   private def post params     params require  post  permit  id   title   content   publish  tag ids      end   All works

User · Answer

If you use a JSONB field  you must convert it to JSON  with  to json  ROR

User · Answer

or you can simply use   def question params    params require  question  permit team ids       end

User · Answer

From the docs  To whitelist an entire hash of parameters  the permit  method can be used  params require  log entry  permit    Nested attributes are in the form of a hash  In my app  I have a Question rb model accept nested attributes for an Answer rb model  where the user creates answer choices for a question he creates   In the questions controller  I do this    def question params        params require  question  permit     end   Everything in the question hash is permitted  including the nested answer attributes  This also works if the nested attributes are in the form of an array   Having said that  I wonder if there s a security concern with this approach because it basically permits anything that s inside the hash without specifying exactly what it is  which seems contrary to the purpose of strong parameters

User · Answer

Actually there is a way to just white-list all nested parameters   params require  widget  permit  name   description  tap do  whitelisted    whitelisted  position    params  widget   position    whitelisted  properties    params  widget   properties  end   This method has advantage over other solutions  It allows to permit deep-nested parameters   While other solutions like    params require  person  permit  name   age  pets attributes    id   name   category     Don t     Source   https   github com rails rails issues 9454 issuecomment-14167664

User · Answer

Seems there is a change in handling of attribute protection and now you must whitelist params in the controller  instead of attr accessible in the model  because the former optional gem strong parameters became part of the Rails Core   This should look something like this   class PeopleController  lt  ActionController  Base   def create     Person create person params    end  private   def person params     params require  person  permit  name   age    end end   So params require  model  permit  fields  would be used    and for nested attributes something like   params require  person  permit  name   age  pets attributes    id   name   category     Some more details can be found in the Ruby edge API docs and strong parameters on github or here

[ruby-on-rails] Nested attributes unpermitted parameters

Examples related to ruby-on-rails

Examples related to ruby-on-rails-4