This is a Rails 3.2 app. (Don't tell me to upgrade - not my call).
I am getting an error thrown by strong_parameters:
ActiveModel::ForbiddenAttributes at /reset_passwords/gYTE5UwajmxhP5aGnMlw3w where reset_passwords is the controller-action and the random string following it is a token sent to the user to allow user access to their own account and password.
I have permissions set up that work for every other controller_action#model_attribute authorization scheme in my app. So I know that it's not the general usage.
The issue here is where a user is not logged in and can't remember their password. A link allows them to enter a password and have instructions sent via email to reset it. The user_model generates a one-time token string that degrades in 2 hours, and imbeds that string into the link send to the user, in this case:
http://ift.tt/21SLfhh
By clicking this link, the user is brought back to the site and the user#edit page where they can change their password by providing a new one and a confirmation.
Clicking [Change Password] submits the form, and the error occurs.
What I can't figure out is how to white-list the random token attribute so that it passes strong-parameters.
I have tried: ```
allow_action :users [:new, :update]
allow_action :users, [:edit, :update] do |user|
user.id == user.id
end
allow_attr :users, [:email, :password, :password_confirmation]
allow_action :reset_passwords, [:new, :create, :edit, :update]
All these return the exact same error.
However, when I am logged on a an admin user (with Permissions set to [:all]), I can reset the password without a problem.
Any ideas on how to sanitize a random token object through strong_parameters?
Aucun commentaire:
Enregistrer un commentaire