通过回形针上传单个文件失败,并带有未经许可的参数

时间:2014-05-13 01:20:18

标签: ruby-on-rails-4 paperclip strong-parameters

我有一个帐户模型,其中包含一个用于徽标的附件,称为徽标。我在参数列表中设置了徽标,表单是多部分的,但我一直得到一个未经许可的参数:在此请求期间输出中的徽标:

除了稍后添加的徽标外,一切都在保存。

Started PUT "/account" for 127.0.0.1 at 2014-05-13 21:43:57 +1200
Processing by AccountsController#update as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"w5jFIZ/IMjvSfGllNoLEoMiboFjGnEE3jgIRERTTSBU=", "account"=>{"name"=>"Company Name", "logo"=>#<ActionDispatch::Http::UploadedFile:0x000001010877b0 @tempfile=#<Tempfile:/var/folders/k1/v289qztd2219jxmfk_x42x8m0000gn/T/RackMultipart20140513-2296-12w270c>, @original_filename="rails.png", @content_type="image/png", @headers="Content-Disposition: form-data; name=\"account[logo]\"; filename=\"rails.png\"\r\nContent-Type: image/png\r\n">}, "commit"=>"Save Changes"}
  Account Load (16.5ms)  SELECT "accounts".* FROM "accounts" WHERE "accounts"."full_domain" = 'ezypay.leaveme.dev' LIMIT 1
  CACHE (0.0ms)  SELECT "accounts".* FROM "accounts" WHERE "accounts"."full_domain" = 'ezypay.leaveme.dev' LIMIT 1
  User Load (0.3ms)  SELECT "users".* FROM "users" WHERE "users"."account_id" = 1 AND "users"."id" = 1 ORDER BY "users"."id" ASC LIMIT 1
Unpermitted parameters: logo
   (0.1ms)  begin transaction
  User Load (10.6ms)  SELECT "users".* FROM "users" WHERE "users"."account_id" = 1 AND "users"."account_id" = ? AND "users"."admin" = 't' ORDER BY "users"."id" ASC LIMIT 1  [["account_id", 1]]
  User Exists (0.3ms)  SELECT 1 AS one FROM "users" WHERE ("users"."email" = 'cmcguff@gmail.com' AND "users"."id" != 1 AND "users"."account_id" = 1) LIMIT 1
  User Exists (0.5ms)  SELECT 1 AS one FROM "users" WHERE ("users"."remote_id" = 'bureau' AND "users"."id" != 1 AND "users"."account_id" = 1) LIMIT 1
   (0.1ms)  SELECT COUNT(*) FROM "accounts" WHERE (full_domain = 'ezypay.leaveme.dev' and id <> 1)
  SQL (465.4ms)  UPDATE "accounts" SET "name" = ?, "updated_at" = ? WHERE "accounts"."id" = 1  [["name", "Company Name"], ["updated_at", Tue, 13 May 2014 09:43:58 UTC +00:00]]
   (2.4ms)  commit transaction

表单设置如下:

<%= simple_form_for @account, :url => { :action => 'update' }, :html => { :method => :put, :multipart => true  } do |f| %>
  <%= f.input :name %>
  <%= f.input :logo, :as => :file %>
  <%= submit_or_cancel :action => 'show' %>
<% end %>

帐户管理员:

class AccountsController < ApplicationController
  inherit_resources

  before_filter :authenticate_user!, :except => [ :new, :create, :plans, :canceled, :thanks]
  before_filter :authorized?, :except => [ :new, :create, :plans, :canceled, :thanks]
  before_filter :build_user, :only => [:new, :create]
  before_filter :load_balances, :only => [ :dashboard ]
  before_filter :load_billing, :only => [ :billing ]
  before_filter :load_subscription, :only => [ :billing, :plan ]
  before_filter :load_discount, :only => [ :plans, :plan, :new, :create ]
  before_filter :build_plan, :only => [:new, :create]
  skip_before_filter :collect_billing_info

  def new
    # render :layout => 'public' # Uncomment if your "public" site has a different layout than the one used for logged-in users
  end

  def create
    @account.affiliate = SubscriptionAffiliate.find_by_token(cookies[:affiliate]) unless cookies[:affiliate].blank?

    if @account.save
      flash[:domain] = @account.domain
      redirect_to thanks_url
    else
      render :action => 'new'#, :layout => 'public' # Uncomment if your "public" site has a different layout than the one used for logged-in users
    end
  end

  def update
    if resource.update_attributes(params[:account].permit(:name))
      flash[:notice] = "Your account has been updated."
      redirect_to redirect_url
    else
      render :action => 'edit'
    end
  end

  def plans
    @plans = SubscriptionPlan.order('amount desc').collect {|p| p.discount = @discount; p }
    # render :layout => 'public' # Uncomment if your "public" site has a different layout than the one used for logged-in users
  end

  def billing
    if request.post?
      result = if params[:stripeToken].present?
        @subscription.store_card(params[:stripeToken])
      else
        @address.first_name = @creditcard.first_name
        @address.last_name = @creditcard.last_name

        (@creditcard.valid? & @address.valid?) && @subscription.store_card(@creditcard, :billing_address => @address.to_activemerchant, :ip => request.remote_ip)
      end

      if result
        flash[:notice] = "Your billing information has been updated."
        redirect_to :action => "billing"
      end
    end
  end

  def plan
    if request.post?
      @subscription.plan = SubscriptionPlan.find(params[:plan_id])

      if @subscription.save
        flash[:notice] = "Your subscription has been changed."
        SubscriptionNotifier.plan_changed(@subscription).deliver
      else
        flash[:error] = "Error updating your plan: #{@subscription.errors.full_messages.to_sentence}"
      end
      redirect_to :action => "plan"
    else
      @plans = SubscriptionPlan.where(['id <> ?', @subscription.subscription_plan_id]).order('amount desc').collect {|p| p.discount = @subscription.discount; p }
    end
  end

  def cancel
    if request.post? and !params[:confirm].blank?
      current_account.destroy
      sign_out(:user)
      redirect_to :action => "canceled"
    end
  end

  def thanks
    redirect_to :action => "plans" and return unless flash[:domain]
    # render :layout => 'public' # Uncomment if your "public" site has a different layout than the one used for logged-in users
  end

  def dashboard
  end

  protected

    def resource
      @account ||= current_account
    end

    def build_user
      build_resource.admin = User.new unless build_resource.admin
    end

    def build_plan
      redirect_to :action => "plans" unless @plan = SubscriptionPlan.find_by_name(params[:plan])
      @plan.discount = @discount
      @account.plan = @plan
    end

    def redirect_url
      { :action => 'show' }
    end

    def load_balances
      @your_balances = current_user.visible_leave_balances
    end

    def load_billing
      @creditcard = ActiveMerchant::Billing::CreditCard.new(params[:creditcard])
      @address = SubscriptionAddress.new(params[:address])
    end

    def load_subscription
      @subscription = current_account.subscription
    end

    # Load the discount by code, but not if it's not available
    def load_discount
      if params[:discount].blank? || !(@discount = SubscriptionDiscount.find_by_code(params[:discount])) || !@discount.available?
        @discount = nil
      end
    end

    def authorized?
      redirect_to new_user_session_url unless self.action_name == 'dashboard' || admin?
    end

    def permitted_params
      params.permit(:plan, :account => [ :name, :domain, :logo, :admin_attributes => [ :name, :email, :password, :password_confirmation ] ])
    end

end

帐户模型的徽标设置为:

has_attached_file :logo, styles: {
    thumb: '100x100>',
    square: '200x200#',
    medium: '300x300>'
}
validates_attachment_content_type :logo, :content_type => /\Aimage\/.*\Z/

我真的不确定还有什么要检查吗?

1 个答案:

答案 0 :(得分:0)

update方法中,您实际上并未使用permitted_params方法。您允许的唯一属性是:name。您应该更改此方法以允许徽标:

def update
  if resource.update_attributes(params[:account].permit(:name, :logo))
    ...