Ruby on rails &引用;Can';t mass assign protected attributes:admin";使用sample_data.rake
我正在阅读Michael Hartl的教程,并有一个示例_data.rake文件。当我尝试填充数据库时,会出现“无法批量分配受保护的属性:admin”错误。我可以通过在“user.rb”文件中的“attr_accessible”中添加“:admin”来解决这个问题,但这样任何人都可以通过黑客攻击成为管理员。我如何解决这个问题 sample_data.rake文件Ruby on rails &引用;Can';t mass assign protected attributes:admin";使用sample_data.rake,ruby-on-rails,ruby,rspec,rake,Ruby On Rails,Ruby,Rspec,Rake,我正在阅读Michael Hartl的教程,并有一个示例_data.rake文件。当我尝试填充数据库时,会出现“无法批量分配受保护的属性:admin”错误。我可以通过在“user.rb”文件中的“attr_accessible”中添加“:admin”来解决这个问题,但这样任何人都可以通过黑客攻击成为管理员。我如何解决这个问题 sample_data.rake文件 namespace :db do desc "Fill database with sample data" task pop
namespace :db do
desc "Fill database with sample data"
task populate: :environment do
admin = User.create!(name: "Example User",
email: "example@railstutorial.org",
password: "foobar",
password_confirmation: "foobar",
admin: true)
name = Faker::Name.name
email = "example-#{n+1}@railstutorial.org"
password = "password"
User.create!(name: name,
email: email,
password: password,
password_confirmation: password)
end
end
class User < ActiveRecord::Base
has_many :microposts, dependent: :destroy
attr_accessible :name, :email, :password, :password_confirmation
has_secure_password
before_save { |user| user.email = email.downcase }
before_save :create_remember_token
validates :name, presence: true, length: { maximum: 50 }
VALID_EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/i
validates :email, presence: true,
format: { with: VALID_EMAIL_REGEX },
uniqueness: { case_sensitive: false }
validates :password, presence: true, length: { minimum: 6 }
validates :password_confirmation, presence: true
private
def create_remember_token
self.remember_token = SecureRandom.urlsafe_base64
end
end
namespace :db do
desc "Fill database with sample data"
task populate: :environment do
admin = User.create!(name: "Example User",
email: "example@railstutorial.org",
password: "foobar",
password_confirmation: "foobar",
admin: true)
name = Faker::Name.name
email = "example-#{n+1}@railstutorial.org"
password = "password"
User.create!(name: name,
email: email,
password: password,
password_confirmation: password)
end
end
class User < ActiveRecord::Base
has_many :microposts, dependent: :destroy
attr_accessible :name, :email, :password, :password_confirmation
has_secure_password
before_save { |user| user.email = email.downcase }
before_save :create_remember_token
validates :name, presence: true, length: { maximum: 50 }
VALID_EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/i
validates :email, presence: true,
format: { with: VALID_EMAIL_REGEX },
uniqueness: { case_sensitive: false }
validates :password, presence: true, length: { minimum: 6 }
validates :password_confirmation, presence: true
private
def create_remember_token
self.remember_token = SecureRandom.urlsafe_base64
end
end
class用户admin = User.new(...)
admin.admin = true
admin.save
User.create(params[:user])
:adminattr\u accessible。使用:admin
作为选项之一创建。只需执行以下操作:
admin = User.new(...)
admin.admin = true
admin.save
这样,您就负责设置管理标志。您没有通过参数散列设置管理标志。但是,在您的情况下,在rake文件中创建用户并不危险。如果在这样的控制器中执行,则可能会:
User.create(params[:user])
正如@Edmund在评论中所说,将:admin
添加到attr\u accessible
列表只意味着您可以使用。将:admin
作为选项之一创建。同意。分别设置admin属性。将:admin添加到attr_accessible列表只意味着您可以使用:admin作为选项之一进行。创建
。同意。分别设置admin属性。将:admin添加到attr_accessible列表只意味着您可以使用:admin作为选项之一进行创建。