Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- CanCan load_and_authorize_resource triggers Forbidden Attributes
- class UsersController < ApplicationController
- respond_to :html, :js
- def index
- @users = User.all
- end
- def show
- @user = User.find(params[:id])
- end
- def new
- @user = User.new
- end
- def edit
- @user = User.find(params[:id])
- end
- def create
- @user = User.new(safe_params)
- if @user.save
- redirect_to @user, notice: t('users.controller.create.success')
- else
- render :new
- end
- end
- def update
- @user = User.find(params[:id])
- if @user.update_attributes(safe_params)
- redirect_to @user, notice: t('users.controller.update.success')
- else
- render :edit
- end
- end
- def destroy
- @user = User.find(params[:id])
- if current_user != @user
- @user.destroy
- else
- flash[:error] = t('users.controller.destroy.prevent_self_destroy')
- end
- redirect_to users_url
- end
- private
- def safe_params
- safe_attributes =
- [
- :first_name,
- :last_name,
- :email,
- :password,
- :password_confirmation,
- ]
- if current_user.is?(:admin)
- safe_attributes += [:role_ids]
- end
- params.require(:user).permit(*safe_attributes)
- end
- end
- ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)
- 1) UsersController POST create with invalid params re-renders the 'new' template
- Failure/Error: post :create, user: @attr
- ActiveModel::ForbiddenAttributes:
- ActiveModel::ForbiddenAttributes
- # ./spec/controllers/users_controller_spec.rb:128:in `block (4 levels) in <top (required)>'
- before(:each) do
- @attr =
- {
- first_name: "John",
- last_name: "Doe",
- email: "user@example.com",
- password: "foobar",
- password_confirmation: "foobar"
- }
- end
- class UsersController < ApplicationController
- before_filter :new_user, :only => [:new, :create]
- load_and_authorize_resource
- def new_user
- @user = User.new(safe_params)
- end
- end
Add Comment
Please, Sign In to add comment