Project

General

Profile

Bug #14253

Saving dashboard widget positions fails under Rails 4.2

Added by Dominic Cleal about 4 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Dashboard
Target version:
Difficulty:
Triaged:
Bugzilla link:

Description

Under Rails 4.2, the dashboard widget save button fails as it's attempting to do mass-assignment:

2016-03-17T16:29:06 [app] [I] Started POST "/widgets/save_positions" for 127.0.0.1 at 2016-03-17 16:29:06 +0000
2016-03-17T16:29:06 [app] [I] Processing by DashboardController#save_positions as JSON
2016-03-17T16:29:06 [app] [I]   Parameters: {"widgets"=>{"131"=>{"hide"=>"false", "col"=>"1", "row"=>"1", "sizex"=>"8", "sizey"=>"1"}, "132"=>{"hide"=>"false", "col"=>"9", "row"=>"1", "sizex"=>"4", "sizey"=>"1"}, "133"=>{"hide"=>"false", "col"=>"1", "row"=>"2", "sizex"=>
"6", "sizey"=>"1"}, "134"=>{"hide"=>"false", "col"=>"7", "row"=>"2", "sizex"=>"6", "sizey"=>"1"}}}
2016-03-17T16:29:06 [sql] [D]   ActiveRecord::SessionStore::Session Load (0.1ms)  SELECT  "sessions".* FROM "sessions" WHERE "sessions"."session_id" = ?  ORDER BY "sessions"."id" ASC LIMIT 1  [["session_id", "455ee386086b45496e75214fc3334d15"]]
2016-03-17T16:29:06 [sql] [D]   User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 24]]
2016-03-17T16:29:06 [app] [D] Setting current user thread-local variable to admin
2016-03-17T16:29:06 [sql] [D]   Setting Load (0.1ms)  SELECT  "settings".* FROM "settings" WHERE "settings"."name" = ?  ORDER BY "settings"."name" ASC LIMIT 1  [["name", "authorize_login_delegation_api"]]
2016-03-17T16:29:06 [sql] [D]   AuthSource Load (0.1ms)  SELECT  "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."id" = ? LIMIT 1  [["id", 1]]
2016-03-17T16:29:06 [sql] [D]   Widget Load (0.2ms)  SELECT  "widgets".* FROM "widgets" WHERE "widgets"."user_id" = ? AND (id = 131)  ORDER BY "widgets"."id" ASC LIMIT 1  [["user_id", 24]]
2016-03-17T16:29:06 [sql] [D]    (0.2ms)  begin transaction
2016-03-17T16:29:06 [sql] [D]    (0.1ms)  rollback transaction
2016-03-17T16:29:06 [app] [W] Failed to save positions
 | ActiveModel::ForbiddenAttributesError: ActiveModel::ForbiddenAttributesError
 | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activemodel-4.2.6/lib/active_model/forbidden_attributes_protection.rb:21:in `sanitize_for_mass_assignment'
 | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/protected_attributes-1.1.3/lib/active_model/mass_assignment_security.rb:354:in `sanitize_for_mass_assignment'
 | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/protected_attributes-1.1.3/lib/active_record/mass_assignment_security/attribute_assignment.rb:58:in `assign_attributes'
 | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/protected_attributes-1.1.3/lib/active_record/mass_assignment_security/persistence.rb:64:in `block in update'
 | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/transactions.rb:351:in `block in with_transaction_returning_status'
 | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/connection_adapters/abstract/database_statements.rb:213:in `block in transaction'
 | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/connection_adapters/abstract/transaction.rb:184:in `within_new_transaction'
 | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/connection_adapters/abstract/database_statements.rb:213:in `transaction'
 | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/transactions.rb:220:in `transaction'
 | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/transactions.rb:348:in `with_transaction_returning_status'
 | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/protected_attributes-1.1.3/lib/active_record/mass_assignment_security/persistence.rb:63:in `update'
 | /home/dcleal/code/foreman/foreman/app/controllers/dashboard_controller.rb:44:in `block in save_positions'
 | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/actionpack-4.2.6/lib/action_controller/metal/strong_parameters.rb:185:in `each_pair'
 | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/actionpack-4.2.6/lib/action_controller/metal/strong_parameters.rb:185:in `each_pair'
 | /home/dcleal/code/foreman/foreman/app/controllers/dashboard_controller.rb:42:in `save_positions'

The Widget model doesn't have attr_accessible. This doesn't seem to affect develop with Rails 4.1, but 4.2 is stricter.

The dashboard controller is missing functional tests which would have caught this on the rails42 branch before now.


Related issues

Related to Foreman - Bug #7568: Use attr_accessible for rails 4 upgradeClosed2014-09-22
Related to Foreman - Feature #13244: Upgrade Ruby on Rails to 4.2Closed2016-01-15
Related to OpenSCAP - Bug #15001: Widgets on policy dashboard break the pageClosed2016-05-11

Associated revisions

Revision 38987e04 (diff)
Added by Dominic Cleal about 4 years ago

fixes #14253 - add attr_accessible to Widget

Add position/view related attributes to widget as accessible attributes
and protect data such as template and name. Under Rail 4.2, saving the
dashboard was failing due to attribute protection, so new functional
tests cover the whole controller.

Revision dd543c2f (diff)
Added by Dominic Cleal almost 4 years ago

fixes #14253 - add attr_accessible to Widget

Add position/view related attributes to widget as accessible attributes
and protect data such as template and name. Under Rail 4.2, saving the
dashboard was failing due to attribute protection, so new functional
tests cover the whole controller.

(cherry picked from commit 38987e042c1bdd55b259ee6a7fa34403341c8d80)

Revision dc22dab3 (diff)
Added by Ondřej Pražák almost 4 years ago

Fixes #14253 - Avoid mass assignment for policy widgets

Revision 55401687
Added by Marek Hulán almost 4 years ago

Merge pull request #168 from xprazak2/widg-attrs

Fixes #14253 - Avoid mass assignment for policy widgets

History

#1 Updated by Dominic Cleal about 4 years ago

  • Related to Bug #7568: Use attr_accessible for rails 4 upgrade added

#2 Updated by Dominic Cleal about 4 years ago

#3 Updated by The Foreman Bot about 4 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3344 added

#4 Updated by Dominic Cleal about 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#5 Updated by Dominic Cleal about 4 years ago

  • Legacy Backlogs Release (now unused) set to 141

#6 Updated by Ondřej Pražák almost 4 years ago

  • Related to Bug #15001: Widgets on policy dashboard break the page added

#7 Updated by The Foreman Bot almost 4 years ago

  • Pull request https://github.com/theforeman/foreman_openscap/pull/168 added

Also available in: Atom PDF