Rails 4.1.5 omniauth strong parameters

Asked 20/8, 2014 at 7:49 Answered 16/2, 2015 at 18:29

Solved ruby-on-rails facebook strong-parameters omniauth-facebook

After upgrading Rails 4.1.4 to 4.1.5 i get errors with my facebook omniauth session everything was working fine since then. When i create a User Session i get an ActiveModel::ForbiddenAttributesError

Route:

  match 'auth/:provider/callback', to: 'sessions#create', as: 'signin', via: :get

Session#create controller:

  def create
        user = User.from_omniauth(env["omniauth.auth"])
        session[:user_id] = user.id 
        session[:user_name] = user.name

      redirect_to root_path
  end

and a user model like this:

  def self.from_omniauth(auth)
    where(auth.slice(:provider, :uid)).first_or_create.tap do |user|
      user.provider ||= auth.provider 
      user.uid = auth.uid
      user.name = auth.info.name
      user.save
    end
  end

I can bypass the ActiveModel error by adding a permit! method in my User Model like that:

where(auth.slice(:provider, :uid).permit!).first_or_create.tap do |user|

But it override the first user from the database... The session[:user_id] seems to always be the first User from the database.

I don't know if it's a strong parameters problem, an Omniauth problem or both?

Rm answered 20/8, 2014 at 7:49 Comment(2)

Do you still have this issue? – Sisera 22/8, 2014 at 7:37

I am having this issue as well. Downgraded from Rails 4.1.5 to 4.1.4 and the problem goes away. – Celebrate 30/8, 2014 at 10:52

Replace you current finder:

def self.from_omniauth(auth)
  where(provider: auth.provider, uid: auth.uid).first_or_create do |user|
    user.provider = auth.provider 
    user.uid      = auth.uid
    user.name     = auth.info.name
    user.save
  end
end

Cassidycassie answered 22/8, 2014 at 19:26 Comment(3)

Can you tell us why is this happening? – Pallas 29/8, 2014 at 12:21

I don't appear to have an auth.provider method but I was able to use auth[:provider] instead. I'm guessing the Rails team prevented slice from being used as a bypass for strong parameters. – Brande 15/9, 2014 at 5:31

^ That seems to be a valid reason to do so. I also found I needed to use auth[:provider] sometimes. – Basion 30/11, 2014 at 17:14

I created a detailed writeup of what is happening here:

Rails 4.1.5 Security Fix Breaks Model.where(attributes)

Snippet:

YIKES! Rails 4.1.5 requires you to use safe params for any param to where that is_a? Hash For example, if you were doing a Model.where using slice to take some keys out of some object that derives from Hash, then your code will throw this error when you migrate from Rails 4.1.4 to Rails 4.1.5:

An ActiveModel::ForbiddenAttributesError occurred in omniauth_callbacks#facebook: ActiveModel::ForbiddenAttributesError

Sickert answered 20/10, 2014 at 0:27 Comment(2)

So we cant use where(some_hash.slice(:attribute1, :attribute2) anymore? It was a nice syntax... – Gallinacean 14/11, 2014 at 18:1

it simply becomes where(provider: auth.provider, uid: auth.uid), assuming you passed in the omniauth json info auth into the method. It's still pretty ruby as ever. – Basion 30/11, 2014 at 17:11

My solution is like this.

# extend the object and add method
auth_hash_extended = auth.slice(:provider, :uid)
def auth_hash_extended.permitted?()
  true
end

where( auth_hash_extended ).first_or_create do |user|
    user.provider = auth.provider
    #blablabla
end

If you have difficulty in separating hash into key-value sets, you may use this way.

Surculose answered 16/2, 2015 at 18:29 Comment(0)

Recommended topics

Hot tags