开发者

Updated checkbox, when there is no data passed. ROR. What is going on?

问答 作者:

I constructed a Many-to-Many association between Users and Roles.

When a non-administrator logs in, I have hidden the Edit Role function, using

using the following code:

view/users/edit.html.erb

<%= error_messages_for :user %>

<% form_for @user do |f| -%>
  <p><label for="login">Login</label><br/>
  <%= f.text_field :login %></p>

  <p><label for="email">Email</label><br/>
  <%= f.text_field :email %></p>

  <p><label for="password">Password</label><br/>
  <%= f.password_field :password %></p>

  <p><label for="password_confirmation">Confirm Password</label><br/>
  <%= f.password_field :password_confirmation %></p>

  <% if admin? %>
  <% for role in Role.find(:all) %>
 <div>
  <%= check_box_tag "user[role_ids][]", role.id, @user.roles.include?(role) %>
  <%= role.name %>
 </div>
 <% end %>
 <% else %>
 <% hidden_field :email, :email %>
 <% end %>

  <p><%= submit_tag 'Update' %></p>
<% end %>

the terminal output, was what I expected and is as follows:

Processing UsersController#update (for 127.0.0.1 at 2010-01-05 21:28:54) [PUT]
  Parameters: {"commit"=>"Update", "action"=>"update", "_method"=>"put", "authenticity_token"=>"E6qUNM3gS9OmxuAZpmF7FE2Mr/lowznNLMd6ENNT6uk=", "id"=>"5", "controller"=>"users", "user"=>{"password_confirmation"=>"[FILTERED]", "password"=>"[FILTERED]", "login"=>"lesa", "email"=>"lesa@gmail.com"}}

However when I was surprised the user lost her rights (prior to her password update her roles: [1,2])

>> user = User.find_by_login("lesa")
=> #<User id: 5, login: "lesa", email: "lesa@gmail.com", crypted_password: "58026ae120d0686196df3c72c9e3df5da596326d", salt: "f02ef9e00d16f1b9f82dfcc488fdf96bf5aab4a8", created_at: "2009-12-29 15:15:51", updated_at: "2010-01-05 21:28:54", remember_token: nil, remember_token_expires_at: nil>
>> user.role_ids
=> []
>>

In the user model controller I am using:

attr_accessible :login, :email, :password, :password_confirmation, :role_ids

How would it be possible for users without the proper rights (role) to NOT update their role_ids? Obviously what I have is seriously flawed. Below is the terminal output of an Administrator correcting Lesa's Rights (role). 

Processing UsersController#update (for 127.0.0.1 at 2010-01-05 21:34:01) [PUT]
  Parameters: {"commit"=>"Update", "action"=>"update", "_method"=>"put", "authenticity_token"=>"/yC1s9T8yWZH+eM5fnhPwdeHPCTcT1d8IGoIn+tEd4Q=", "id"=>"5", "controller"=>"users", "user"=>{"password_confirmation"=>"[FILTERED]", "role_ids"=>["2"], "password"=>"[FILTERED]", "login"=>"lesa", "email"=>"lesa@gmail.com"}}

User controller code:

class UsersController < ApplicationController
  # Be sure to include AuthenticationSystem in Application Controller instead

    #routine that is excecuted before every action in controller "Before_filter
  before_filter :login_required
  require_role "admin", :for => [:index, :create, :destroy]

  def index
    @users = User.find(:all)
  end

 def show
  @user = User.find(params[:id])
 end

 def destroy
  @user = User.find(params[:id])
  @user.destroy

  redirect_to(users_url)
 end

 def edit
    @user = User.find(params[:id])
 end

 def update
    @user = User.find(params[:id])

  params[:user][:role_ids] ||= []

  if @user.update_attributes(params[:user])
     flash[:notice] = 'User was successfully updated.'
    redirect_开发者_高级运维to(user_path(@user))
 else
    render :action => 'edit'
 end
 end

  # render new.rhtml
  def new
  end

  def create
    cookies.delete :auth_token
    # protects against session fixation attacks, wreaks havoc with 
    # request forgery protection.
    # uncomment at your own risk
    # reset_session
    @user = User.new(params[:user])
    @user.save
    if @user.errors.empty?
      self.current_user = @user
      redirect_back_or_default('/')
      flash[:notice] = "Thanks for signing up!"
    else
      render :action => 'new'
    end
  end

end

are there any callbacks in the model? are you sure the roles existed before you updated? have you tried using accepts_nested_attributes_for :roles in the User model? I'd have loved to see your controller code too.

Updated Your User#update action sets this to an empty array if nothing comes.... not ideal dude, as only admins will update them, and all other update requests get set as, well, nothing as you found out. scrap it. Use accepts_nested_attributes_for the roles and somehow lock out who can update them...

Of course!

I Eliminated this code from my controller: params[:user][:role_ids] ||= [] to solve this issue.

继续阅读:checkboxmany-to-manyruby-on-rails

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9