Ruby China

Rails Grape 和 MongoId 一起用 ForbiddenAttributesError 的问题

birbird · July 12, 2015 · Last by hammer replied at July 15, 2015 · 2319 hits

我想直接把 json payload 整体存到 Mongodb 里。但碰到了 ActiveModel::ForbiddenAttributesError。代码是这样的

format :json
params do
  requires :user, type: Hash do
    requires :name, type: String
    requires :password, type: String
  end
end
post :signup do
  puts params[:user]
  User.create(params[:user])
end

但同时这样就是可以的

format :json
params do
  requires :user, type: Hash do
    requires :name, type: String
    requires :password, type: String
  end
end
post :signup do
  puts params[:user]
  User.create({
      name: params[:user][:name],
      password: params[:user][:password]
    })
end

请问前面那个写法错在哪儿了?

Rei #2 July 12, 2015

提醒一下,我不熟悉 Grape,不知道是否过滤了 requires 以外的参数?如果不过滤会是个漏洞。

hammer #4 July 15, 2015 
permitted = ActionController::Parameters.new(params).require(:city).permit!
result = City.new(permitted).save
You need to Sign in before reply, if you don't have an account, please Sign up first.