How to achieve strong parameter protection without Rails? - ruby

I am developing a boilerplate web application with Goliath + Grape + Active Record 4.2 + Active Record Migrations. Here is my migration file
# db/migrate/20150519063210_create_albums.rb
class CreateAlbums < ActiveRecord::Migration
def change
create_table :albums do |t|
t.string :name
t.string :artist
t.string :genre
t.date :published_at
end
end
end
And my model
# app/models/Album
class Album < ActiveRecord::Base
end
And the Grape API
class ApiV1 < Grape::API
version 'v1', using: :path
format :json
resource 'albums' do
get '/' do
Album.all
end
post '/' do
Album.create(params[:album]) # <-- raises ActiveModel::ForbiddenAttributesError
end
end
end
When I call POST /v1/albums/ with some parameters, the application always raises ActiveModel::ForbiddenAttributesError. It seem that ActiveRecord wants ActionController::Parameters to be the arguments, but Grape gives it Hashie::Mash.
I've tried implementing a simple Rack middleware to convert env['params'] from a Hash to a ActionController::Parameters and using it after Goliath::Rack::Params, but Grape just sanitizes it out when the helper method params is called. I also tried implementing and using a Grape middleware to do the same thing and got the same result.
Is there any solution on this or I just have to down grade to ActiveRecord 3?

You could create a helper to generate an instance of ActionController::Parameters with your parameters:
require 'action_controller/metal/strong_parameters'
class ApiV1 < Grape::API
version 'v1', using: :path
format :json
helpers do
def albums_params
ActionController::Parameters.new(params).require(:album).permit(:attr1, :attr2)
end
end
resource 'albums' do
get '/' do
Album.all
end
post '/' do
Album.create(albums_params)
end
end
end
Or you can use the hashie-forbidden_attributes gem.

Related

Sinatra App - Separating Concerns

Probably something really basic, but I want to be able to separate my Sinatra routes from controllers. I have this code in my routes.rb:
require 'sinatra/base'
class Server < Sinatra::Base
get '/' do
Action.index
end
end
This is my controller/server.rb
class Action
def sef.index
#user = User.new("Abiodun Shuaib")
haml: index
end
end
It gives the error undefined method 'haml' in Action:Class.
How can I fix this?
You are trying to access method haml in class Action. It simply doesn't contain it.
For example, you can do:
class Server
def index
#user = User.new("Abiodun Shuaib")
haml :index
end
end
By doing this, you will add to Server method index.
Or you can do in such way(it's called Mixin):
module ActionNew
def index
#user = User.new("Abiodun Shuaib")
haml :index
end
end
class Server < Sinatra::Base
include ActionNew
get '/' do
index
end
end

Rails 3 NoMethodError (undefined method `unserialized_value' for "--- []\n":String):

I am using Rails 3.2.13 and postgress.
I am getting below error only in production server
NoMethodError (undefined method `unserialized_value' for "--- []\n":String):
app/controllers/blogs_controller.rb:159:in `content_generators'
I am serializing Array to store it in db. Below is code.
Controller
class BlogsController < ApplicationController
def content_generators
#blog = Blog.find(params[:id])
#users = #blog.content_generators.map do |id|
User.find(id)
end
end
end
Model
class Blog < ActiveRecord::Base
serialize :post_access, Array
serialize :content_generators, Array
attr_accessible :post_access, :content_generators
end
Migration
class AddContentgeneratorsToBlog < ActiveRecord::Migration
def change
add_column :blogs, :content_generators, :string, :default => [].to_yaml
end
end
I have already used serialization. You can see post_access is serialized. And that works perfect.
But now when I added another column content_generators it starts breaking.
Thanks for your help in advance.
Since you are using postgresql I strongly recommend using the built in array functionality:
# Gemfile
gem 'postgres_ext'
class MyMigration
def change
add_column :my_table, :that_array_column, :text, array: true, default: []
end
end
Then remove the serialize calls in your model and that's it. PG serialized array's behave exactly the same as YAML serialized ones on the model, except the db supports some query methods on them.

NameError when assigning instance of model to reference property

I'm unable to assign a model instance to a reference property of another model. Relevant code is below:
module Blog::Models
class Post < Base; belongs_to :user, dependent: :destroy end
class User < Base; has_many :posts end
...
class BasicFields < V 1.0
def self.up
create_table User.table_name do |t|
...
end
create_table Post.table_name do |t|
...
t.references :user
end
end
...
end
end
module Blog::Controllers
...
class PostEditN
...
def post(post_num)
#post = Post.find(post_num)
#user = User.find(#input.user)
...
#post.user = #user # Error thrown: NameError at /post/edit/1 uninitialized constant User
# #post.user_id = #user.id << This is my currently working solution
#post.save
redirect PostN, post_num
end
end
...
end
...
When I assign something to #post.user using Camping in console mode, it is successful, but I can't seem to accomplish the same behavior in the controller otherwise. I made do by simply assigning the #user.id to the user_id property of the Post instance. However, I would like to figure out why the alternate method works in the Camping console and not when I'm simply running the webserver.
My best guess is that this is a problem with namespaces. In the code you show Useris actually Blog::Models::User. In your controller the context is Blog::Controllers. Have you tried changing the code in the controller to?
#post = Blog::Models::Post.find(post_num)
#user = Blog::Models::User.find(#input.user)
...
I was able to resolve my issue. Seems when I was creating new Post records, I was not initializing the User. Thus, when assigning #post.user it would complain that the user property was uninitialized. The only problem I see is that an operation was attempted to be made on an oprhan Post record, which is invalid data according to the relationship with User.

host and port in a grape entity

Im trying to get the host and port in a grape-entity when generating an url
class Person < Grape::Entity
expose :url do |person,options|
"http://#{host_somehow}/somepath/#{person.id}"
end
end
I´ve tried examining the options hash but the 'env' hash is empty.
Following works for me, Grape 0.6.0, Grape-Entity 0.3.0, Ruby 2.0.0:
require 'grape'
require 'grape-entity'
# in reality this would be Active Record, Data Mapper, whatever
module Model
class Person
attr_accessor :identity, :name
def initialize i, n
#identity = i
#name = n
end
end
end
module APIView
class Person < Grape::Entity
expose :name
expose(:url) do |person,opts|
"http://#{opts[:env]['HTTP_HOST']}" +
"/api/v1/people/id/#{person.identity}"
end
end
end
class MyApp < Grape::API
prefix 'api'
version 'v1'
format :json
resource :people do
get "id/:identity" do
person = Model::Person.new( params['identity'], "Fred" )
present person, :with => APIView::Person
end
end
end
Quick test:
curl http://127.0.0.1:8090/api/v1/people/id/90
=> {"name":"Fred","url":"http://127.0.0.1:8090/api/v1/people/id/90"}
Finally ended up with sending the host as a option to the entity
class Person < Grape::Entity
expose :url do |person,options|
"http://#{options[:host]}/somepath/#{person.id}"
end
end
get '/' do
#persons = Person.all
present #persons, with: Person, host: request.host_with_port
end

Trouble getting the timestamp attributes for Active Record

So I'm trying to get the updated at attribute for my database object, but it's not working. I can get the other attributes but not the updated_at or created_at attributes. I'm also noticing that I can't get the id attribute as well. It seems as if anything I haven't declared in my Pocket.new does not exist. Here's my code:
By the way, I'm not using rails. I'm using sinatra-activerecord and sinatra.
Model
class Pocket < ActiveRecord::Base
def retrieve(consumer_key)
url = "get/"
pocket_url = join_url(url)
# time = Time.now.to_i
token = self.token
puts consumer_key
puts self
puts time = self.updated_at #.to_i this is where it happens.
options = {
:access_token => token,
:consumer_key => consumer_key,
:since => (time if defined? time)
}
hello = RestClient.post pocket_url, options
# JSON.parse(hello)
end
Controller
get '/auth/pocket/callback' do
[…]
pocket = Pocket.new(token: #token, user: #user)
DB migration
class CreatePocket < ActiveRecord::Migration
def up
create_table :pockets do |t|
t.string :user
t.string :token
t.timestamps
end
end
def down
drop_table :users
end
end
id, created_at, and updated_at are going to be nil for un-persisted objects, which is what you have by just calling .new and not saving the object yet.
Those attributes will be sent as soon as you call .save (assuming there are no validation errors).
Actually that isn't 100% true. updated_at will not be set on the first create / save, but it will be set on subsequent saves.

Resources