Ruby on rails 如何解决这个问题;Can';t质量分配受保护的属性:翻译“U属性”;错误?
我正在使用RubyonRails(3.2.2)、(0.2.0)和(0.1.2)RubyGems。我想解决使用批处理时产生的以下问题:Ruby on rails 如何解决这个问题;Can';t质量分配受保护的属性:翻译“U属性”;错误?,ruby-on-rails,ruby,ruby-on-rails-3,translation,globalization,Ruby On Rails,Ruby,Ruby On Rails 3,Translation,Globalization,我正在使用RubyonRails(3.2.2)、(0.2.0)和(0.1.2)RubyGems。我想解决使用批处理时产生的以下问题: ActiveModel::MassAssignmentSecurity::Error in Admin::ArticlesController#update Can't mass-assign protected attributes: translations_attributes 在我的ROOT\u RAILS/Gemfile文件中,我有: ... gem
ActiveModel::MassAssignmentSecurity::Error in Admin::ArticlesController#update
Can't mass-assign protected attributes: translations_attributes
在我的ROOT\u RAILS/Gemfile
文件中,我有:
...
gem 'globalize3'
gem 'batch_translations'
class Admin::Article < ActiveRecord::Base
translates :title
# This is needed to make the batch_translations to work.
accepts_nested_attributes_for :translations
...
end
<%= form_for(@admin_article, :url => admin_article_path) do |f| %>
<%= f.label :title %><br />
English translation:
<%= f.text_field :title %>
Italiano translation:
<%
# Note: I am using the '<%= f...' instad of '<% f...' otherwise
# batch_translations doesn't output the input field in the
# front-end content.
%>
<%= f.globalize_fields_for :it do |g| %>
<%= g.text_field :title %>
<% end %>
<% end %>
class Admin::ArticlesController < ApplicationController
def update
@admin_article = Article.find(params[:id])
respond_to do |format|
if @admin_article.update_attributes(params[:article])
format.html { redirect_to admin_article_path(@admin_erticle), notice: 'Article was successfully updated.' }
format.json { head :no_content }
else
format.html { render action: "edit" }
format.json { render json: @admin_article.errors, status: :unprocessable_entity }
end
end
end
...
end
gem 'globalize3', '~> 0.2.0'
gem 'batch_translations', '~> 0.1.2'
config.i18n.available_locales = [:es, :en]
在我的ROOT\u RAILS/app/models/admin/article.rb文件中,我有:
...
gem 'globalize3'
gem 'batch_translations'
class Admin::Article < ActiveRecord::Base
translates :title
# This is needed to make the batch_translations to work.
accepts_nested_attributes_for :translations
...
end
<%= form_for(@admin_article, :url => admin_article_path) do |f| %>
<%= f.label :title %><br />
English translation:
<%= f.text_field :title %>
Italiano translation:
<%
# Note: I am using the '<%= f...' instad of '<% f...' otherwise
# batch_translations doesn't output the input field in the
# front-end content.
%>
<%= f.globalize_fields_for :it do |g| %>
<%= g.text_field :title %>
<% end %>
<% end %>
class Admin::ArticlesController < ApplicationController
def update
@admin_article = Article.find(params[:id])
respond_to do |format|
if @admin_article.update_attributes(params[:article])
format.html { redirect_to admin_article_path(@admin_erticle), notice: 'Article was successfully updated.' }
format.json { head :no_content }
else
format.html { render action: "edit" }
format.json { render json: @admin_article.errors, status: :unprocessable_entity }
end
end
end
...
end
gem 'globalize3', '~> 0.2.0'
gem 'batch_translations', '~> 0.1.2'
config.i18n.available_locales = [:es, :en]
在我的ROOT\u RAILS/app/controllers/admin/articles\u controller.html.erb
文件中,我有:
...
gem 'globalize3'
gem 'batch_translations'
class Admin::Article < ActiveRecord::Base
translates :title
# This is needed to make the batch_translations to work.
accepts_nested_attributes_for :translations
...
end
<%= form_for(@admin_article, :url => admin_article_path) do |f| %>
<%= f.label :title %><br />
English translation:
<%= f.text_field :title %>
Italiano translation:
<%
# Note: I am using the '<%= f...' instad of '<% f...' otherwise
# batch_translations doesn't output the input field in the
# front-end content.
%>
<%= f.globalize_fields_for :it do |g| %>
<%= g.text_field :title %>
<% end %>
<% end %>
class Admin::ArticlesController < ApplicationController
def update
@admin_article = Article.find(params[:id])
respond_to do |format|
if @admin_article.update_attributes(params[:article])
format.html { redirect_to admin_article_path(@admin_erticle), notice: 'Article was successfully updated.' }
format.json { head :no_content }
else
format.html { render action: "edit" }
format.json { render json: @admin_article.errors, status: :unprocessable_entity }
end
end
end
...
end
gem 'globalize3', '~> 0.2.0'
gem 'batch_translations', '~> 0.1.2'
config.i18n.available_locales = [:es, :en]
。。。但是让:translations\u属性可以访问,这是确定的吗?
这将是最新版本rails的一个问题,因为他们修补了它。您可以在配置中更改它。有关详细信息,请参阅
我可以确认您的属性可访问解决方案是正确的。是。Rails可能配置为只允许显式允许的属性的批量分配
# This is mass assignment
Model.find(params[id]).update_attributes params[:model]
为了安全起见,实施了白名单方法params[:model]
可以包含任何内容,甚至是表单中不可用的属性。攻击者可以利用此漏洞发送admin:true
以及其他值
如果没有可访问的属性,攻击者将被授予管理员权限。但是,如果:admin
不在白名单上,update\u attributes
将不会更新该特定属性
这些宝石可能在引擎盖下。确保允许他们写入自己的属性。我也遇到了同样的问题。我认为这是一个很好的解决方案:
在我的Gemfile文件中,我有:
...
gem 'globalize3'
gem 'batch_translations'
class Admin::Article < ActiveRecord::Base
translates :title
# This is needed to make the batch_translations to work.
accepts_nested_attributes_for :translations
...
end
<%= form_for(@admin_article, :url => admin_article_path) do |f| %>
<%= f.label :title %><br />
English translation:
<%= f.text_field :title %>
Italiano translation:
<%
# Note: I am using the '<%= f...' instad of '<% f...' otherwise
# batch_translations doesn't output the input field in the
# front-end content.
%>
<%= f.globalize_fields_for :it do |g| %>
<%= g.text_field :title %>
<% end %>
<% end %>
class Admin::ArticlesController < ApplicationController
def update
@admin_article = Article.find(params[:id])
respond_to do |format|
if @admin_article.update_attributes(params[:article])
format.html { redirect_to admin_article_path(@admin_erticle), notice: 'Article was successfully updated.' }
format.json { head :no_content }
else
format.html { render action: "edit" }
format.json { render json: @admin_article.errors, status: :unprocessable_entity }
end
end
end
...
end
gem 'globalize3', '~> 0.2.0'
gem 'batch_translations', '~> 0.1.2'
config.i18n.available_locales = [:es, :en]
在我的application.rb文件中,我有:
...
gem 'globalize3'
gem 'batch_translations'
class Admin::Article < ActiveRecord::Base
translates :title
# This is needed to make the batch_translations to work.
accepts_nested_attributes_for :translations
...
end
<%= form_for(@admin_article, :url => admin_article_path) do |f| %>
<%= f.label :title %><br />
English translation:
<%= f.text_field :title %>
Italiano translation:
<%
# Note: I am using the '<%= f...' instad of '<% f...' otherwise
# batch_translations doesn't output the input field in the
# front-end content.
%>
<%= f.globalize_fields_for :it do |g| %>
<%= g.text_field :title %>
<% end %>
<% end %>
class Admin::ArticlesController < ApplicationController
def update
@admin_article = Article.find(params[:id])
respond_to do |format|
if @admin_article.update_attributes(params[:article])
format.html { redirect_to admin_article_path(@admin_erticle), notice: 'Article was successfully updated.' }
format.json { head :no_content }
else
format.html { render action: "edit" }
format.json { render json: @admin_article.errors, status: :unprocessable_entity }
end
end
end
...
end
gem 'globalize3', '~> 0.2.0'
gem 'batch_translations', '~> 0.1.2'
config.i18n.available_locales = [:es, :en]
在我的模型(category.rb)中,我有:
在我的翻译文件中,我有:
恩·伊梅尔
en:
locale_selector:
es: 'Spanish'
en: 'English'
埃斯·伊梅尔
en:
locale_selector:
es: 'Español'
en: 'Inglés'
在我的视图文件(_form.html.erb)中,我有:
()
()
正如您所看到的,问题在于Rails3.2需要知道哪些属性可以访问,但是globalize没有指定这一点。因此,我在我的模型(Category)中使用attr_accessible来定义它,但我也需要为翻译添加它,因此我在同一文件中添加了几行,以设置此模型中每个翻译的可访问名称(Category::translation.class_eval)