Rails 4/Devise/MongoDB: "Unpermitted parameters" using custom properties and strong parameters

David Elner picture David Elner · Apr 21, 2013 · Viewed 7.6k times · Source

Trying to add a nested custom attribute, Profile (a Mongoid document), to my devise User class. When the Devise registration form is submitted, it should create both a User and a corresponding Profile object as well.

I'd like the end-result to look something like this in my MongoDB:

User:

{
  # Devise fields:
  "email": "[email protected]",
  ...
  # Custom field
  "profile" : "<object_id>"
}

Profile:

{
  "first_name": "Dave",
  ....
}

Unfortunately, I am receiving this in my console whenever I submit my registration. It successfully creates a User but fails to create an associated Profile.

Started POST "/" for 127.0.0.1 at 2013-04-20 23:37:10 -0400
Processing by Users::RegistrationsController#create as HTML
Parameters:
   {"utf8"=>"✓",
   "authenticity_token"=>"awN2GU8EYEfisU0",
   "user"=>
       {"profile_attributes"=>
           {"first_name"=>"Dave",
           "birthday(2i)"=>"4",
           "birthday(3i)"=>"21",
           "birthday(1i)"=>"1933",
           "occupation_title"=>"Software Developer"},
        "password"=>"[FILTERED]",
        "password_confirmation"=>"[FILTERED]",
        "email"=>"[email protected]"}}
Unpermitted parameters: profile_attributes

I have setup:

  • Rails 4.0.0beta1, Ruby 2.0.0-p0
  • Devise ('rails4' branch), Mongoid (from git)
  • A custom Devise registrations controller to add a definition for strong parameters.

models/user.rb:

class User
  include Mongoid::Document

  devise :database_authenticatable, :registerable,
     :recoverable, :rememberable, :trackable, :validatable,
     :token_authenticatable, :confirmable, :lockable, :timeoutable

  field :email,              type: String, default: ''

  ...

  has_one :profile
  accepts_nested_attributes_for :profile
end

models/profile.rb:

class Profile
  include Mongoid::Document
  include Mongoid::Timestamps

  # Attributes
  # ----------
  field :slug,                type: String, default: '' # Acts as user-'friendlier' slug
  field :birthday,            type: DateTime, default: DateTime.now
  field :first_name,          type: String, default: ''
  field :occupation_title,    type: String, default: ''

  belongs_to :user
  embeds_many :photos
  has_one :occupation_industry, :as => :industry
end

controllers/users/registrations_controller.rb

class Users::RegistrationsController < Devise::RegistrationsController

  def resource_params
    params.require(:user).permit(:email, :password, :password_confirmation, :profile_attributes)
  end
  private :resource_params
end

routes.rb

devise_for  :users,
              :path => '',
              :path_names => {
                :sign_in => 'login',
                :sign_out => 'logout',
                :sign_up => 'register'
                },
              :controllers => {
                :registrations => "users/registrations",
                :passwords => "users/passwords"
              }

I have already looked at these related posts, they didn't seem to help:


EDIT:

Looks like Devise does actually support strong parameters in its 'rails4' branch (which is supposed to be merged into master in a few days.) Looking through the code, it appears you can override a params function for each action on devise controllers. For creating new users, its sign_up_params instead of resource_params in my example.

Despite changing this name to the proper one, it still didn't work... only whitelisting all parameters using this bang seemed to work:

def sign_up_params
  params.require(:user).permit!
end

Obviously, this kind of defeats the purpose of strong parameters... so now the question is how do I permit my nested attributes profile_attributes (as seen in my original question)?

Answer

comandante N picture comandante N · Apr 24, 2013

I had the exact same issue and overriding sign_up_params did work for me

def sign_up_params
   params.require(:user).permit(:email, :password, :password_confirmation, :other, :etc)
end

of course, the difference is in that mine are just scalar values, while you're trying to mass assign a relation... I guess that's where you should look for.

By the way, the documentations is still inexistint in this topic (too new), and code commnents suggest to override devise_parameter_sanitizer, which isn't necessary.