Actions
Bug #14253
closedSaving dashboard widget positions fails under Rails 4.2
Difficulty:
Triaged:
Description
Under Rails 4.2, the dashboard widget save button fails as it's attempting to do mass-assignment:
2016-03-17T16:29:06 [app] [I] Started POST "/widgets/save_positions" for 127.0.0.1 at 2016-03-17 16:29:06 +0000 2016-03-17T16:29:06 [app] [I] Processing by DashboardController#save_positions as JSON 2016-03-17T16:29:06 [app] [I] Parameters: {"widgets"=>{"131"=>{"hide"=>"false", "col"=>"1", "row"=>"1", "sizex"=>"8", "sizey"=>"1"}, "132"=>{"hide"=>"false", "col"=>"9", "row"=>"1", "sizex"=>"4", "sizey"=>"1"}, "133"=>{"hide"=>"false", "col"=>"1", "row"=>"2", "sizex"=> "6", "sizey"=>"1"}, "134"=>{"hide"=>"false", "col"=>"7", "row"=>"2", "sizex"=>"6", "sizey"=>"1"}}} 2016-03-17T16:29:06 [sql] [D] ActiveRecord::SessionStore::Session Load (0.1ms) SELECT "sessions".* FROM "sessions" WHERE "sessions"."session_id" = ? ORDER BY "sessions"."id" ASC LIMIT 1 [["session_id", "455ee386086b45496e75214fc3334d15"]] 2016-03-17T16:29:06 [sql] [D] User Load (0.1ms) SELECT "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1 [["id", 24]] 2016-03-17T16:29:06 [app] [D] Setting current user thread-local variable to admin 2016-03-17T16:29:06 [sql] [D] Setting Load (0.1ms) SELECT "settings".* FROM "settings" WHERE "settings"."name" = ? ORDER BY "settings"."name" ASC LIMIT 1 [["name", "authorize_login_delegation_api"]] 2016-03-17T16:29:06 [sql] [D] AuthSource Load (0.1ms) SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."id" = ? LIMIT 1 [["id", 1]] 2016-03-17T16:29:06 [sql] [D] Widget Load (0.2ms) SELECT "widgets".* FROM "widgets" WHERE "widgets"."user_id" = ? AND (id = 131) ORDER BY "widgets"."id" ASC LIMIT 1 [["user_id", 24]] 2016-03-17T16:29:06 [sql] [D] (0.2ms) begin transaction 2016-03-17T16:29:06 [sql] [D] (0.1ms) rollback transaction 2016-03-17T16:29:06 [app] [W] Failed to save positions | ActiveModel::ForbiddenAttributesError: ActiveModel::ForbiddenAttributesError | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activemodel-4.2.6/lib/active_model/forbidden_attributes_protection.rb:21:in `sanitize_for_mass_assignment' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/protected_attributes-1.1.3/lib/active_model/mass_assignment_security.rb:354:in `sanitize_for_mass_assignment' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/protected_attributes-1.1.3/lib/active_record/mass_assignment_security/attribute_assignment.rb:58:in `assign_attributes' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/protected_attributes-1.1.3/lib/active_record/mass_assignment_security/persistence.rb:64:in `block in update' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/transactions.rb:351:in `block in with_transaction_returning_status' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/connection_adapters/abstract/database_statements.rb:213:in `block in transaction' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/connection_adapters/abstract/transaction.rb:184:in `within_new_transaction' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/connection_adapters/abstract/database_statements.rb:213:in `transaction' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/transactions.rb:220:in `transaction' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/activerecord-4.2.6/lib/active_record/transactions.rb:348:in `with_transaction_returning_status' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/protected_attributes-1.1.3/lib/active_record/mass_assignment_security/persistence.rb:63:in `update' | /home/dcleal/code/foreman/foreman/app/controllers/dashboard_controller.rb:44:in `block in save_positions' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/actionpack-4.2.6/lib/action_controller/metal/strong_parameters.rb:185:in `each_pair' | /home/dcleal/.rvm/gems/ruby-2.0.0-p353@foreman/gems/actionpack-4.2.6/lib/action_controller/metal/strong_parameters.rb:185:in `each_pair' | /home/dcleal/code/foreman/foreman/app/controllers/dashboard_controller.rb:42:in `save_positions'
The Widget model doesn't have attr_accessible. This doesn't seem to affect develop with Rails 4.1, but 4.2 is stricter.
The dashboard controller is missing functional tests which would have caught this on the rails42 branch before now.
Actions