lundi 9 mai 2016

Whitelisting attributes not working

I have a custom authorization based on RC#386.

I'm trying to add password reset functionality to the app, but get:

ActiveModel::ForbiddenAttributes at /password_resets/2OB3su0v4UwU9sU9WqsTsQ

When I try to set a new password.

I'm white-listing the action#attr like this:

  allow_action :password_resets, [:new, :create, :edit, :update]

I shouldn't have to white-list attributes, since there is no model associated with the controller.

Controller:

class PasswordResetsController < ApplicationController
  def new
  end

  def create
    if User.find_by_email(params[:email])
      user = User.find_by_email(params[:email])
      user.send_reset_password if user
      redirect_to root_url, :notice => "We have sent an email with instructions on how to reset your password..."
    else
      redirect_to new_password_reset_path, :notice => "Email can not be blank."
    end

  end

  def edit
    @user = User.find_by_password_reset_token!(params[:id])
    if @user.password_reset_sent_at < 2.hours.ago
      redirect_to new_password_reset_path, :alert => "Password reset has expired, please request another reset."
    end
  end

  def update
    @user = User.find_by_password_reset_token!(params[:id])
    if @user.password_reset_sent_at < 2.hours.ago
      redirect_to new_password_reset_path, :alert => "Password reset has expired."
    elsif @user.update_attributes(params[:user])
      redirect_to root_url, :notice => "You have successfully reset your password."
    else
      render :edit
    end
  end

There is no model except the User model:

class User < ActiveRecord::Base

  has_secure_password

  #--== ASSOCIATIONS
  has_many :comments  #to Posts
  has_many :replies   #to TOPICS

  #--== VALIDATIONS
  validates_uniqueness_of :email

  #--== CALLBACKS
  before_create { generate_token(:auth_token) }


  #--== METHODS
  def generate_token(column)
    begin
      self[column] = SecureRandom.urlsafe_base64
    end while User.exists?(column => self[column])
  end

  def send_reset_password
    generate_token(:password_reset_token)
    self.password_reset_sent_at = Time.zone.now
    save!
    UserMailer.reset_password(self).deliver
  end

end

All my other controller actions validate against strong_parameters. What am I doing wrong?

Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)