Rails 来自相关模型的强大参数中不允许的参数创建

Unpermitted parameters in Rails strong params from related Model on create

我正在使用 Rails 中的表单创建一个模型的实例,并在创建时创建到另一个模型的连接 table。在我的 Accounts 控制器中,在验证 Account 的新实例已创建后,我根据在另一个模型的表单中选择的复选框创建了一个新的连接 table。

这是我的代码:

型号:

class Account < ApplicationRecord
    has_many :account_authorizations
    has_many :authorizations, through: :account_authorizations
    accepts_nested_attributes_for :authorizations
end
class Authorization < ApplicationRecord

    has_many :account_authorizations
    has_many :accounts, through: :account_authorizations
end
class AccountAuthorization < ApplicationRecord
    belongs_to :account 
    belongs_to :authorization 
end

我的 Accounts 控制器:

class AccountsController < ApplicationController
  before_action :find_account, only: [:show, :update, :destroy]

  def index
    @accounts = Account.all

  end

  def show 
  end

  def new 
     @authorizations = Authorization.all
  end

  def create 
    byebug 
    @account = Account.new(account_params) 
    if @account.save 
      authorization_ids = params.permit![:authorization][:ids]
      authorization_ids.each do |auth_id| 
      AccountAuthorization.create(authorization_id: auth_id, account_id: params[:id]) if !auth_id.empty?
      end
      flash[:notice] = "Account created sucsessfully"
      redirect_to account_path(@account) 
    else    
      flash[:error] = @item.errors.full_messages.to_sentence
      render :new 
    end
  end

  def edit   
  end

  def update
     @account = Account.update(account_params) 
    if @account.valid?
      flash[:notice] = "Account created sucsessfully"
      redirect_to accounts_path(@account) 
    else    
      flash[:error] = @item.errors.full_messages.to_sentence
      render :edit 
    end
  end

  def destroy
    @account.delete
    redirect_to accounts_path
  end



private 

def find_account 
  @account = Account.find(params[:id])
end

def account_params
    params.permit(
      :account_name,
      :account_address_line1,
      :account_address_line2,
      :account_city,
      :account_state,
      :account_zipcode,
      :account_ppu,
      :account_notes,
      :contact_first_name,
      :contact_last_name,
      :contact_phone,
      :contact_email
    )
  end

end 

我试过使用 .permit!在参数上,但这不允许来自 Authorization 的 ID 传递到 AccountAuthorization 的新连接实例中。

没有通过的属性是:

Unpermitted parameters: :authenticity_token, :authorization, :commit

我也试过将它们放在 strong_params 方法的许可散列中。

** 更新 **

我的观点页面form

<% states = [ 'AL', 'AK', 'AS', 'AZ', 'AR', 'CA', 'CO', 'CT', 'DC', 'DE', 'DC', 'FL', 'GA', 'HI', 'ID', 'IL', 'IN', 'IA', 'KS', 'KY', 'LA', 'ME', 'MH', 'MD', 'MA', 'MI', 'MN', 'MS', 'MO', 'MT', 'NE', 'NV', 'NH', 'NJ', 'NM', 'NY', 'NC', 'ND', 'MP', 'OH', 'OK', 'OR', 'PA' 'RI', 'SC', 'SD', 'TN', 'TX', 'UT', 'VT' 'VA', 'WA', 'WV', 'WI', 'WY'] %>
<% ppu = ['Employment', 'Insurance', 'Law Enforement'] %>

<div class="row justify-content-center">
    <div class="col-lg-16">
        <h3>Create New Account</h3>
    </div>
</div>
<div class="row justify-content-center">
    <div class="col-lg-16">

            <%= form_with(url: accounts_path, model: @account, local: true) do |f| %>

            <%= f.text_field :account_name, class: "form-control", placeholder: "Account Name" %>
            <%= f.text_field :account_address_line1, class: "form-control", placeholder: "address line 1" %>
            <%= f.text_field :account_address_line2, class: "form-control", placeholder: "address line 2" %>
            <%= f.text_field :account_city, class: "form-control", placeholder: "account city" %>
            <%= f.select :account_state, options_for_select(states), { :prompt => true }, class: "form-control", include_blank: true, placeholder: "state" %>
            <%= f.text_field :account_zipcode, class: "form-control", placeholder: "account zipcode" %>
            <%= f.text_field :contact_first_name, class: "form-control", placeholder: "contact first name" %>
            <%= f.text_field :contact_last_name, class: "form-control", placeholder: "contact last name" %>
            <%= f.text_field :contact_phone, class: "form-control", placeholder: "conact phone" %>
            <%= f.text_field :contact_email, class: "form-control", placeholder: "contact email" %>
            <%= f.select :account_ppu, options_for_select(ppu), { :prompt => true }, class: "form-control", include_blank: true, placeholder: "ppu" %>
            <%= f.text_area :account_notes, class: "form-control", placeholder: "Notes..." %>

            <div class="d-flex justify-content-between flex-wrap">
             <%= f.fields_for :authorization do |auth| %>
            <div class="order-3 p-2 bd-highlight">
                <%= auth.collection_check_boxes :ids, Authorization.all, :id, :auth_name %>
            </div>
            <% end %>
             </div>
            <%= f.submit "Create", class: 'btn btn-success' %>
            <% end %>



    </div>
</div>

我通常做的是这个(require(:account) 很重要):

def account_params
 params.require(:account).permit(
  :account_name,
  # Rest of the params you want to permit...
  authorization_ids: []
 )
end

这将允许您在控制器操作中进行定期保存。

def create 
 @account = Account.new(account_params) 
 if @account.save 
  flash[:notice] = "Account created successfully"
  redirect_to account_path(@account) 
 else    
  flash[:error] = @item.errors.full_messages.to_sentence
  render :new 
 end
end

并且在表单中,如果您将它们显示为复选框。

<% Authorization.all.each do |authorization| %>
 <%= check_box_tag 'account[authorization_ids][]', authorization.id, @account.authorizations.include?(authorization), id: dom_id(authorization), type: "checkbox" %>
<% end %>

这将遍历所有授权记录并将其显示在屏幕上,如果您 select 它们将存储在 authorization_ids 参数中,并且 rails 足够聪明接受这些参数并在 table.

中创建连接关联

顺便说一句,这是使用简单的形式,因此应稍微修改代码以获得所需的输入

您不需要手动创建加入 table 记录。

对于每个 has_manyhas_many_and_belongs_to_many 关联 Rails 创建一个 _ids setter 接受一个 id 数组。 Rails 将自动 create/delete 从输入中加入 table 行。

这与 collection helpers 完美匹配。

app/views/accounts/_form.html.erb

<%= form_with(model: account, local: true) do |f| %>
  <div class="field">
     <%= f.label :account_name %>
     <%= f.text_field :account_name %>
  </div>
  # ... more inputs

  <div class="field">
    <%= f.label :authorization_ids, 'Authorizations' %>
    <%= f.collection_checkboxes :authorization_ids, 
                                Authorization.all, # the collection 
                                :id, # value method
                                :name # label method
    %>
  </div>

  <div class="actions">
    <%= f.submit %>
  <div>
<% end %>

app/views/accounts/new.html.erb

<%= render partial: 'form', account: @account %>

accounts/edit.html.erb

<%= render partial: 'form', account: @account %>

app/controllers/accounts_controller.rb

class AccountsController < ApplicationController
  before_action :find_account, only: [:show, :edit, :update, :destroy]

  # ...

  def create 
    @account = Account.new(account_params) 
    if @account.save 
      flash[:notice] = "Account created sucsessfully"
      redirect_to @account 
    else 
      # render :new does not redirect so you need to use flash.now
      # to display the flash message in this request
      flash.now[:error] = @item.errors.full_messages.to_sentence
      render :new 
    end
  end

  def edit   
  end

  # This is how you update a resource.
  def update
    # don't check .valid? - it just tells you if the validations passed
    # not if the actual DB update query was a successes
    if @account.update(account_params)
      flash[:notice] = "Account updated successfully"
      redirect_to @account
    else    
      flash.now[:error] = @item.errors.full_messages.to_sentence
      render :edit 
    end
  end

  # ...

  private 

  def account_params
    params.require(:account).permit(
      :account_name,
      :account_address_line1,
      :account_address_line2,
      :account_city,
      :account_state,
      :account_zipcode,
      :account_ppu,
      :account_notes,
      :contact_first_name,
      :contact_last_name,
      :contact_phone,
      :contact_email,
      account_ids: []
    )
  end
end

因为这从参数散列中切出了键 :account,所以您不会得到未经许可的参数错误。 authenticity_token 是 Rails CSRF 保护令牌,commit 是单击提交表单的提交按钮的值。这些不应列入白名单或发送给您的模型

您通过将关键字参数 (account_ids: []) 传递给 .permit 并将空数组作为值来将授权 ID 数组列入白名单。由于这是关键字参数,因此它必须位于位置参数列表之后。

您也不需要 accepts_nested_attributes_for,除非您正在做一些比选择现有记录更高级的事情。但是在您掌握了 CRUD 的基础知识之前,您还没有完全准备好 accepts_nested_attributes_for