时间戳

首页 > 解决方案 > Rails 未经允许的参数仍在保存对象

html - Rails 未经允许的参数仍在保存对象

问题描述

我正在为不同的帖子制作评论表格。我的帖子有一个显示页面,其中嵌入了一个表单:

<%= @comment.body %>

<%= form_with url: comments_path do |form| %>
    <%= form.hidden_field :post_id, value: @comment.post.id %>
    <%= form.hidden_field :parent_comment_id, value: params[:id] %>
    <%= form.text_field :body %>
    <%= form.submit %>
 <% end %>

然后我有一个控制器用于我的评论:

class CommentsController < ApplicationController

def create
    @post = Post.find(params[:post_id])
    @comment = current_user.comments.new(comment_params)
    @comment.post_id = @post.id

    if @comment.save!
        flash.now[:notice] = 'Comment created'
        redirect_to post_path(@comment.post_id)
    else
        raise error
    end
end

def show
    @comment = Comment.find(params[:id])
end

def comment_params
    params.permit(:body, :post_id, :author_id)
end
end

我不说 params.require(:comment) 的原因是因为我的参数中没有通过评论 - 我相信这是因为表单嵌入在帖子的显示页面中。

当我提交评论时,我可以这样做,但我在控制台中得到了这个奇怪的东西:

Started POST "/comments" for ::1 at 2021-01-09 17:50:10 -0500
Processing by CommentsController#create as JS
  Parameters: {"authenticity_token"=>"RblvPFQq7aZnpYFfLA5LtuUHsSDIrljYgZjs7OkvnzY4I6jhwZZXgv1+2xC1ZXdF8iDAUGQ22VPhRzHtmwHDcA==", "post_id"=>"8", "body"=>"ten", "commit"=>"Save "}
  Post Load (0.2ms)  SELECT "posts".* FROM "posts" WHERE "posts"."id" = $1 LIMIT $2  [["id", 8], ["LIMIT", 1]]
  ↳ app/controllers/comments_controller.rb:4:in `create'
  User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."id" = $1 LIMIT $2  [["id", 2], ["LIMIT", 1]]
  ↳ app/controllers/application_controller.rb:6:in `current_user'
Unpermitted parameters: :authenticity_token, :commit
  CACHE User Load (0.0ms)  SELECT "users".* FROM "users" WHERE "users"."id" = $1 LIMIT $2  [["id", 2], ["LIMIT", 1]]
  ↳ app/controllers/comments_controller.rb:8:in `create'
   (0.1ms)  BEGIN
  ↳ app/controllers/comments_controller.rb:8:in `create'
  Post Load (0.2ms)  SELECT "posts".* FROM "posts" WHERE "posts"."id" = $1 LIMIT $2  [["id", 8], ["LIMIT", 1]]
  ↳ app/controllers/comments_controller.rb:8:in `create'
  Comment Create (0.4ms)  INSERT INTO "comments" ("body", "author_id", "post_id", "created_at", "updated_at") VALUES ($1, $2, $3, $4, $5) RETURNING "id"  [["body", "ten"], ["author_id", 2], ["post_id", 8], ["created_at", "2021-01-09 22:50:10.956311"], ["updated_at", "2021-01-09 22:50:10.956311"]]
  ↳ app/controllers/comments_controller.rb:8:in `create'
   (0.3ms)  COMMIT
  ↳ app/controllers/comments_controller.rb:8:in `create'
Redirected to http://localhost:3000/posts/8
Completed 200 OK in 12ms (ActiveRecord: 1.5ms | Allocations: 8098)

注意“不允许的参数”。我认为这会停止保存评论,但它仍然会通过并保存,所以我不确定这是否是一个可能导致以后出现问题的问题。然后,如果评论有子评论,我将有一个展示页面以递归方式呈现评论。注意:我在帖子、用户、评论和回复之间的所有关联(自关联)都已到位。即使我不在评论显示页面上,是否有人对这些“未经许可的参数”/传递“params.require(:comment)..”有解决方案?

谢谢!

标签: htmlruby-on-railsparameters

解决方案

这是处理的默认操作unpermitted parameters,只是记录它在开发中发生,甚至不记录在生产中。关于如何处理的配置是action_on_unpermitted_parameters(您可以在此处阅读更多信息)。

如果您希望它表现不同,例如如果传递了未经允许的参数则抛出错误,或者您也可以保持原样,这取决于您。如果您想更改它并引发错误,只需将其添加到production.rbor development.rb

config.action_controller.action_on_unpermitted_parameters = :raise

对于仅针对特定控制器修改此选项,请检查此答案

推荐阅读