Actions
Bug #14253
closedSaving dashboard widget positions fails under Rails 4.2
Difficulty:
Triaged:
Description
Under Rails 4.2, the dashboard widget save button fails as it's attempting to do mass-assignment:
2016-03-17T16:29:06 [app] [I] Started POST "/widgets/save_positions" for 127.0.0.1 at 2016-03-17 16:29:06 +0000 2016-03-17T16:29:06 [app] [I] Processing by DashboardController#save_positions as JSON 2016-03-17T16:29:06 [app] [I] Parameters: {"widgets"=>{"131"=>{"hide"=>"false", "col"=>"1", "row"=>"1", "sizex"=>"8", "sizey"=>"1"}, "132"=>{"hide"=>"false", "col"=>"9", "row"=>"1", "sizex"=>"4", "sizey"=>"1"}, "133"=>{"hide"=>"false", "col"=>"1", "row"=>"2", "sizex"=> "6", "sizey"=>"1"}, "134"=>{"hide"=>"false", "col"=>"7", "row"=>"2", "sizex"=>"6", "sizey"=>"1"}}} 2016-03-17T16:29:06 [sql] [D] ActiveRecord::SessionStore::Session Load (0.1ms) SELECT "sessions".* FROM "sessions" WHERE "sessions"."session_id" = ? ORDER BY "sessions"."id" ASC LIMIT 1 [["session_id", "455ee386086b45496e75214fc3334d15"]] 2016-03-17T16:29:06 [sql] [D] User Load (0.1ms) SELECT "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1 [["id", 24]] 2016-03-17T16:29:06 [app] [D] Setting current user thread-local variable to admin 2016-03-17T16:29:06 [sql] [D] Setting Load (0.1ms) SELECT "settings".* FROM "settings" WHERE "settings"."name" = ? ORDER BY "settings"."name" ASC LIMIT 1 [["name", "authorize_login_delegation_api"]] 2016-03-17T16:29:06 [sql] [D] AuthSource Load (0.1ms) SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."id" = ? LIMIT 1 [["id", 1]] 2016-03-17T16:29:06 [sql] [D] Widget Load (0.2ms) SELECT "widgets".* FROM "widgets" WHERE "widgets"."user_id" = ? AND (id = 131) ORDER BY "widgets"."id" ASC LIMIT 1 [["user_id", 24]] 2016-03-17T16:29:06 [sql] [D] (0.2ms) begin transaction 2016-03-17T16:29:06 [sql] [D] (0.1ms) rollback transaction 2016-03-17T16:29:06 [app] [W] Failed to save positions | ActiveModel::ForbiddenAttributesError: ActiveModel::ForbiddenAttributesError | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activemodel-4.2.6/lib/active_model/forbidden_attributes_protection.rb:21:in `sanitize_for_mass_assignment' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/protected_attributes-1.1.3/lib/active_model/mass_assignment_security.rb:354:in `sanitize_for_mass_assignment' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/protected_attributes-1.1.3/lib/active_record/mass_assignment_security/attribute_assignment.rb:58:in `assign_attributes' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/protected_attributes-1.1.3/lib/active_record/mass_assignment_security/persistence.rb:64:in `block in update' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/transactions.rb:351:in `block in with_transaction_returning_status' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/connection_adapters/abstract/database_statements.rb:213:in `block in transaction' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/connection_adapters/abstract/transaction.rb:184:in `within_new_transaction' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/connection_adapters/abstract/database_statements.rb:213:in `transaction' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/transactions.rb:220:in `transaction' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/transactions.rb:348:in `with_transaction_returning_status' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/protected_attributes-1.1.3/lib/active_record/mass_assignment_security/persistence.rb:63:in `update' | /home/dcleal/code/foreman/foreman/app/controllers/dashboard_controller.rb:44:in `block in save_positions' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/actionpack-4.2.6/lib/action_controller/metal/strong_parameters.rb:185:in `each_pair' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/actionpack-4.2.6/lib/action_controller/metal/strong_parameters.rb:185:in `each_pair' | /home/dcleal/code/foreman/foreman/app/controllers/dashboard_controller.rb:42:in `save_positions'
The Widget model doesn't have attr_accessible. This doesn't seem to affect develop with Rails 4.1, but 4.2 is stricter.
The dashboard controller is missing functional tests which would have caught this on the rails42 branch before now.
Updated by Dominic Cleal over 8 years ago
- Related to Bug #7568: Use attr_accessible for rails 4 upgrade added
Updated by Dominic Cleal over 8 years ago
- Related to Feature #13244: Upgrade Ruby on Rails to 4.2 added
Updated by The Foreman Bot over 8 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/3344 added
Updated by Dominic Cleal over 8 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 38987e042c1bdd55b259ee6a7fa34403341c8d80.
Updated by Dominic Cleal over 8 years ago
- Translation missing: en.field_release set to 141
Updated by Ondřej Pražák over 8 years ago
- Related to Bug #15001: Widgets on policy dashboard break the page added
Updated by The Foreman Bot over 8 years ago
- Pull request https://github.com/theforeman/foreman_openscap/pull/168 added
Actions