Rails 6 - 尽管我将密码添加到 "filter_parameters",但它仍显示在日志中
Rails 6 - password showing up in logs even though I added it to the "filter_parameters"
我有一个简单的方法来记录用户的 activity,看起来有点像这样:
def log_activity
...
log_activity.params = params.inspect
log_activity.save
...
end
当我查看终端控制台(然后查看数据库)时,我可以看到那里打印出了密码:
LogActivity Create (2.0ms) INSERT INTO ... ("user_id", ..., "params")
VALUES (, , , , , , , , ) RETURNING "id"
[["user_id", 13], ["params", "#<ActionController::Parameters
{"authenticity_token"=>"gIHGES_Y74nFAtJ1xoH5YD3e28uPJ-icdDAqkGufjhfjdjhgfjhf",
"user"=>{"email"=>"my@email.com",
"password"=>"my-secret-password", "remember_me"=>"0"},
"commit"=>"Log in", "controller"=>"devise/sessions",
"action"=>"create"} permitted: false>"], ["msg", "successfully
signed in."], ["created_at", "2021-04-24 08:50:16.262145"],
["updated_at", "2021-04-24 08:50:16.262145"]]
如何从这里隐藏它并防止它保存到数据库中?我可能可以检查 params 并手动将其从哈希中删除,但是 - 有更优雅的方法吗?
我读到可以通过将密码添加到 config/filter_parameter_logging.rb:
来禁用记录密码
Rails.application.config.filter_parameters += [
:passw, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :password
]
或将其添加到模型中 (LogActivity.rb):
class LogActivity < ApplicationRecord
self.filter_attributes=[:password]
end
或将其添加到 application.rb 文件:
config.filter_parameters += ["password"]
然而,即使在重新启动服务器后,none 这些操作对我有效,密码始终显示在终端 window 中,然后存储在数据库中。
如何过滤掉它?
使用request.filtered_parameters根据您的Rails.application.config.filter_parameters配置获取筛选参数:
def log_activity
...
log_activity.params = request.filtered_parameters.inspect
log_activity.save
...
end
我有一个简单的方法来记录用户的 activity,看起来有点像这样:
def log_activity
...
log_activity.params = params.inspect
log_activity.save
...
end
当我查看终端控制台(然后查看数据库)时,我可以看到那里打印出了密码:
LogActivity Create (2.0ms) INSERT INTO ... ("user_id", ..., "params") VALUES (, , , , , , , , ) RETURNING "id" [["user_id", 13], ["params", "#<ActionController::Parameters {"authenticity_token"=>"gIHGES_Y74nFAtJ1xoH5YD3e28uPJ-icdDAqkGufjhfjdjhgfjhf", "user"=>{"email"=>"my@email.com", "password"=>"my-secret-password", "remember_me"=>"0"}, "commit"=>"Log in", "controller"=>"devise/sessions", "action"=>"create"} permitted: false>"], ["msg", "successfully signed in."], ["created_at", "2021-04-24 08:50:16.262145"], ["updated_at", "2021-04-24 08:50:16.262145"]]
如何从这里隐藏它并防止它保存到数据库中?我可能可以检查 params 并手动将其从哈希中删除,但是 - 有更优雅的方法吗?
我读到可以通过将密码添加到 config/filter_parameter_logging.rb:
Rails.application.config.filter_parameters += [
:passw, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :password
]
或将其添加到模型中 (LogActivity.rb):
class LogActivity < ApplicationRecord
self.filter_attributes=[:password]
end
或将其添加到 application.rb 文件:
config.filter_parameters += ["password"]
然而,即使在重新启动服务器后,none 这些操作对我有效,密码始终显示在终端 window 中,然后存储在数据库中。
如何过滤掉它?
使用request.filtered_parameters根据您的Rails.application.config.filter_parameters配置获取筛选参数:
def log_activity
...
log_activity.params = request.filtered_parameters.inspect
log_activity.save
...
end