Unpermitted parameters. Devise + Oauth. Rails 4

Question

Rails 4, Devise 3.0.3, Oauth-facebook

I've added two additional parameters in my User model - :name, :uid and trying to save it in my users table from my form (route /users/sign_up). But as result i receive record in table, which contains only default values for fields :name and :uid instead of values, which i put in my text_fields.

In console i've got the following message:

Unpermitted parameters: name, uid
WARNING: Can't mass-assign protected attributes for User: password_confirmation
app/models/user.rb:31:in `new_with_session'

Here is my user.rb model. I've tried to remove these fiels from attr_accessible but it gives no result.

class User < ActiveRecord::Base
  attr_accessible :oauth_expires_at, :oauth_token, :oauth_secret, :email, :password, :uid, :provider, :name

  default_scope -> {order('created_at ASC')}

  devise :database_authenticatable, :registerable,
     :recoverable, :rememberable, :trackable, :validatable, 
     :omniauthable, :omniauth_providers => [:facebook]

  has_many :microposts, :primary_key => "uid", dependent: :destroy

  # validates :uid, presence: true

  def self.find_for_facebook_oauth(auth, signed_in_resource=nil)
  user = User.where(:provider => auth.provider, :uid => auth.uid).first
  unless user
    user = User.create(name:auth.extra.raw_info.name,
                     provider:auth.provider,
                     uid:auth.uid,
                     email:auth.info.email,
                     password:Devise.friendly_token[0,20]
                     )
  end
  user
  end

  def self.new_with_session(params, session)
    super.tap do |user|
      if data = session["devise.facebook_data"] && session["devise.facebook_data"]["extra"]["user_hash"]
    user.email = data["email"]
      end
    end
  end

end

Here is my users/omniauth_callbacks_controller.rb (without facebook method). I've tried to apply different advises related to before_filter, but it still does not work

 class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController

 before_filter :configure_permitted_parameters

 def create
    super
 end

 private

 def configure_permitted_parameters
   params.require(:user).permit(:name, :uid, :provider)
 end

 end

Here is my view-form ()

Sign up

    <%= link_to "Sign in with Facebook", user_omniauth_authorize_path(:facebook) %>

    <%= form_for(resource, :as => resource_name, :url => registration_path(resource_name)) do |f| %>
      <%= devise_error_messages! %>

      <div><%= f.label :name %> <br /> 
      <%= f.text_field :name, :autofocus => true %></div>

      <div><%= f.label :email %><br />
      <%= f.email_field :email %></div>

      <div><%= f.label :password %><br />
      <%= f.password_field :password %></div>

      <div><%= f.label :password_confirmation %><br />
      <%= f.password_field :password_confirmation %></div>

      <div><%= f.label :uid %><br />
      <%= f.text_field :uid %></div>


      <div><%= f.submit "Sign up" %></div>
    <% end %>

    <%= render "devise/shared/links" %>

Could you help me, i don't understand what am i doing wrong. How to configure whitelist for my strong params to receive proper values (which user put in view-form) ?

All my source code is available here: https://github.com/DavydenkovM/d23m

Thanks in advance!

UPDATE

I've remove attr_accessible fields and update my controller. But the problem with unpermitted params name and uid at the same point. Now my controller looks like:

    class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController

      before_filter :configure_permitted_parameters, if: :devise_controller?

      def facebook

        @user = User.find_for_facebook_oauth(request.env["omniauth.auth"], current_user)

        if @user.persisted?
          sign_in_and_redirect @user, :event => :authentication #this will throw if @user is not activated
          flash[:notice] = I18n.t "devise.omniauth_callbacks.success", :kind => "Facebook"
          set_flash_message(:notice, :success, :kind => "Facebook") # if is_navigational_format?
        else
          redirect_to root_url if user_signed_in?
          session["devise.facebook_data"] = request.env["omniauth.auth"]
          redirect_to new_user_registration_url
        end
      end

      def create
        super
      end

      #def update
      #  person = current_account.user.find(params[:id])
      #  person.update_attributes!(person_params)s
      #  redirect_to person
      #end

      private

      def configure_permitted_parameters
        devise_parameter_sanitizer.for(:users) do |u|
          u.permit(:name, :email, :password, :password_confirmation, :uid, :provider)
        end
      end
    end

UPDATE 2. I'm not clearly understand what is resource in devise_parameter_sanitizer.for(?) and where i need to assign this ?

possible duplicate of [Unpermitted Parameters adding new fields to Devise in rails 4.0](http://stackoverflow.com/questions/17384289/unpermitted-parameters-adding-new-fields-to-devise-in-rails-4-0) — Pedro Nascimento, Sep 05 '13 at 07:30
Thank you, i've checked and still has unpermitted params. I'm not clearly understand what is resource in devise_parameter_sanitizer.for(__?__) and where i need to assign this __?__ — user2742804, Sep 05 '13 at 07:40

Amit Sharma · Accepted Answer · 2013-09-05T10:16:42.257

Please try the following.

def self.find_for_facebook_oauth(auth, signed_in_resource=nil)
  user = User.where(:provider => auth.provider, :uid => auth.uid).first
  unless user
    user = User.create(name:auth.extra.raw_info.name,
                     provider:auth.provider,
                     uid:auth.uid,
                     email:auth.info.email,
                     password:Devise.friendly_token[0,20]
                     ).permit!(:name, :uid, :provider)
  end
  user
end

Or

def facebook

 @user = User.find_for_facebook_oauth(request.env["omniauth.auth"].permit!(:name, :uid, :provider), current_user)

   if @user.persisted?
   sign_in_and_redirect @user, :event => :authentication #this will throw if @user is not activated
    flash[:notice] = I18n.t "devise.omniauth_callbacks.success", :kind => "Facebook"
    set_flash_message(:notice, :success, :kind => "Facebook") # if is_navigational_format?
  else
    redirect_to root_url if user_signed_in?
    session["devise.facebook_data"] = request.env["omniauth.auth"]
    redirect_to new_user_registration_url
  end
end

Then try this

def configure_permitted_parameters
   devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:name, :email, :password, :password_confirmation, :uid, :provider) }
end

Many thanks for your advice. I will bear in mind such a useful approach. Unfortunately it doesn't work in my case. I've two options - sign_up using my form or sign_in through oauth-facebook. There is no problem with facebook authentification. I have unpermitted params only when using sign_up with my form — user2742804, Sep 05 '13 at 09:30
I've found useful information here: http://ruby.railstutorial.org/chapters/sign-up#sidebar-rails_environments - chapter 7. I hope it could help for each person faced the same issue — user2742804, Sep 06 '13 at 08:47

score 0 · Answer 2 · answered Sep 05 '13 at 06:34

0

attr_accessible is not available in Rails 4 because Strong Parameters is now used by default. It appears you are already using strong parameters, so you should simply remove the line from your user model with attr_accessible in it.

answered Sep 05 '13 at 06:34

jvperrin

3,368
1
23
33

It is not a Rails way any more? I've include gem 'protected_attributes' and it is still work. – user2742804 Sep 05 '13 at 06:51
It is not the way it is usually done in Rails 4. I'm not sure what mixing the protected_attributes and strong parameters gems does, but I have never seen it done in this way before. – jvperrin Sep 06 '13 at 03:20

Unpermitted parameters. Devise + Oauth. Rails 4

Sign up

2 Answers2