Isue #835 - CanCan ActiveModel::ForbiddenAttributesError with rails 4

[blischalk]

I recently ran into the issue of getting the ForbiddenAttribuesError when using CanCan on a Rails 4 app that I am building. After looking into the issue it appears that the problem is that when load_and_authorize_resource is used in a controller it loads up the resource using the params straight from the controller before they have been sanitized.

My approach was to add the ability to specify the params method defined in the controller as an argument to load_and_authorize_resource. E.g load_and_authorize_resource attributes: :my_method. This method is then used to grab the params to build the resource from instead of using the params straight from the controller.

I have also included a check for the params method being specified which seems to preserve backward compatibility.

[mhenrixon]

👍

[dgilperez]

👍

[Arcath]

👍

[garrettlancaster]

👍

[jpascal]

👍

[binyamindavid]

👍

[theodorton]

👍

[mzahir]

👍

[theodorton]

I've added a pull request for this branch where you don't have to define the method as it would default to post_params for a PostController.

[zdavis]

👍

[andrezimpel]

+1

[sebakri]

+1

[xhoy]

Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013.
Since only Ryan himself has commit permissions, the CanCan project is on a standstill.

CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.

If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.

We hope to see you on the other side!

[marceloboeira]

👍