无法批量分配受保护的属性:stripe_card_token

时间:2012-09-21 22:21:06

标签: ruby-on-rails shopping-cart mass-assignment attr-accessor stripe-payments

我正在尝试使用条纹创建电荷。尝试创建订单对象时出现以下错误,但我设置了attr_accessor:stripe_card_token。有谁知道我做错了什么?

ActiveModel::MassAssignmentSecurity::Error in OrdersController#create
Can't mass-assign protected attributes: stripe_card_token

OrdersController - 创建动作

def create
@order = current_cart.build_order(params[:order])
@order.ip_address = request.remote_ip
@order.user_id = current_user.id


respond_to do |format|
  if @order.save_with_payment

    @order.add_line_items_from_cart(current_cart)         
    Cart.destroy(session[:cart_id])
    session[:cart_id] = nil


    format.html { render :action => "success", :notice => 'Thank you for your order.' }
    format.xml { render :xml => @order, :status => :created, :location => @order }

  else
    format.html { render :action => "new" }
    format.xml { render :xml => @order.errors,
    :status => :unprocessable_entity }
  end
end
end

OrderModel 

class Order < ActiveRecord::Base
  # PAYMENT_TYPES = [ "visa", "master card", "Amex", "Discover" ] Controll the payment options via Model
  attr_accessible :first_name, :last_name, :ip_address, :cart_id, :house_id
  attr_accessor :stripe_card_token


  belongs_to :user
  belongs_to :house
  belongs_to :cart

  has_many :transactions, :class_name => "OrderTransaction"
  has_many :line_items, :dependent => :destroy

  validates :house_id, presence: true
  validates :cart_id, presence: true



  def price_in_cents 
    (cart.total_price*100).round
  end

  def add_line_items_from_cart(cart)
    cart.line_items.each do |item|
      item.cart_id = nil
      line_items << item
    end
  end

  def save_with_payment
    if valid?
      Stripe::Charge.create(amount: price_in_cents, currency: "cad", description:     current_user.name, card: stripe_card_token)
      # self.stripe_order_token = order.id
      save!
    end
  rescue Stripe::InvalidRequestError => e
    logger.error "Stripe error while creating customer: #{e.message}"
    errors.add :base, "There was a problem with your credit card."
    false
  end

OrderView _Form 

<%= f.error_notification %>
<%= f.error_messages %>
<%= f.hidden_field :stripe_card_token %>
<%= f.hidden_field :cart_id%>

<div class="form-inputs">
  <p><%#if user does not have a house Make a page (please order a home valuation first) %></p>
  <div class="contain">  
    <h3>Select House</h3>      
    <%= f.input :house_id, :as => :radio_buttons, :collection =>  current_user.houses.all.map{|h| [h.address, h.id]}%>        
  </div>

  <%= f.input :first_name %>
  <%= f.input :last_name %>

  <div class="field">
    <%= label_tag :card_number, "Credit Card Number" %>
    <%= text_field_tag :card_number, nil, name: nil %>
  </div>
  <div class="field">
    <%= label_tag :card_code, "Security Code on Card (CVV)" %>
    <%= text_field_tag :card_code, nil, name: nil %>
  </div>
  <div class="field">
    <%= label_tag :card_month, "Card Expiration" %>
    <%= select_month nil, {add_month_numbers: true}, {name: nil, id: "card_month"} %>
    <%= select_year nil, {start_year: Date.today.year, end_year: Date.today.year+15}, {name: nil, id: "card_year"} %>
  </div>          


</div>

  <div id="stripe_error">
    <noscript>JavaScript is not enabled and is required for this form. First enable it in your web browser settings.</noscript>
  </div>

<div class="form-actions">
  <%= f.button :submit %>
</div>
  

Orders.js.coffee 

jQuery ->
  Stripe.setPublishableKey($('meta[name="stripe-key"]').attr('content'))
  order.setupForm()

order =
  setupForm: ->
    $('#new_order').submit ->
      $('input[type=submit]').attr('disabled', true)
      if $('#card_number').length
        order.processCard()
        false
      else
        true

  processCard: ->
    card =
      number: $('#card_number').val()
      cvc: $('#card_code').val()
      expMonth: $('#card_month').val()
      expYear: $('#card_year').val()
    Stripe.createToken(card, order.handleStripeResponse)

  handleStripeResponse: (status, response) ->
    if status == 200
      $('#order_stripe_card_token').val(response.id)
      $('#new_order')[0].submit()
    else
      $('#stripe_error').text(response.error.message)
      $('input[type=submit]').attr('disabled', false)

3 个答案:

答案 0 :(得分:5)

您仍然需要在模型中的attr_accessible下包含:stripe_card_token

答案 1 :(得分:1)

活动记录(rails堆栈中提供ruby代码与数据库之间接口的层)使用attr_accessible方法保护您的数据库免受不必要的最终用户分配。如果存在于模型中,它将确保请求无法写入数据库,除非列出该属性。

您已在此处attr_accessible但未列出:stripe_card_token,因此您无法保存到该字段。

attr_accessible :first_name, :last_name, :ip_address, :cart_id, :house_id添加, :stripe_card_token

虽然attr_accessor :stripe_card_token行可能会以某种方式相关,但您可能只为该属性设置了getter和setter方法。

这里的差异更好 In this question

答案 2 :(得分:0)

您可以在此处详细了解质量分配:http://www.h-online.com/security/news/item/Rails-3-2-3-makes-mass-assignment-change-1498547.html

相关问题
最新问题