YIKES! Rails 4.1.5 requires you to use safe params for any param to where
that is_a? Hash
For example, if you were doing a Model.where
using slice to take some keys out of some object that derives from Hash
, then your code will throw this error when you migrate from Rails 4.1.4 to Rails 4.1.5:
An ActiveModel::ForbiddenAttributesError occurred in omniauth_callbacks#facebook:
ActiveModel::ForbiddenAttributesError
In my case, I was calling this code:
def find_for_facebook_oauth(auth)
Authentication.where(auth.slice(:provider, :uid)).first.try(:user)
end
One fix is to call this:
def find_for_facebook_oauth(auth)
Authentication.where(provider: auth["provider"], uid: auth["uid"]).first.try(:user)
end
The problem is that auth.slice(:provider, :uid))
returns a Hash (actually a OmniAuth::AuthHash
which is a Hashie::Mash
which is a Hash
, and so it gets sanitized!
Here’s the change:
What is the recommendation for this? Do we need to inspect all places where gets used? The problem is that where
is at the model level, and secure params is at the Controller level.