为什么 Rails 一直告诉我未经允许的参数，即使我已经允许了？答案

【问题标题】：Why does Rails keep telling me unpermitted parameter even though I have permitted it?为什么 Rails 一直告诉我未经允许的参数，即使我已经允许了？
【发布时间】：2016-11-17 07:27:30
【问题描述】：

我有一个 Profile 模型，它具有以下内容：

  has_many :transcripts, dependent: :destroy
  accepts_nested_attributes_for :transcripts, allow_destroy: true

在我的 Transcript 模型上，我有以下内容：

include TranscriptUploader[:attachment]

这是一个神殿上传器坐骑。

在我的app/views/profile/_form.html.erb 中，我有以下内容：

    <div id="transcripts" class="text-center">
      <% if @profile.transcripts.any? %>
        <% @profile.transcripts.each do |transcript| %>
          <%= link_to "Click to view Transcript", transcript.url %>
        <% end %>
      <% end %>

      <%= f.simple_fields_for :transcripts do |transcript| %>
        <%= render 'transcript_fields', f: transcript %>
      <% end %>
      <br />
      <div class="links">
        <%= link_to_add_association 'Add Transcript', f, :transcripts, class: "btn btn-success add-transcript-button" %>
      </div>
    </div>

然后在我的views/profiles/_transcript_fields.html.erb 中，我有以下内容：

<%= f.file_field :attachment, multiple: true, class: 'col-lg-4 form-control' %>

在我的ProfilesController 中，我有以下内容：

# truncated for brevity
def profile_params
  params.require(:profile).permit(:id, :first_name, :last_name, :dob, :height, :weight, :bib_color, :attachment, :remove_transcript, :transcript_cache, transcripts_attributes: [:id, :url, :name, :attachment, :attachment_data, :remove_transcript, :url_cache, :_destroy])
end

到目前为止一切都很好，对吧？

但是当我去添加一个新的配置文件时，我的日志是这样的：

Started POST "/profiles" for ::1 at 2016-11-17 01:47:05 -0500
Processing by ProfilesController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"JDMTXHFCIaB3TFmCOQ==", "profile"=>{"avatar"=>"", "first_name"=>"Jack", "last_name"=>"BeNimble", "dob(3i)"=>"17", "dob(2i)"=>"11", "dob(1i)"=>"1986", "transcripts_attributes"=>{"1479365203532"=>{"attachment"=>[#<ActionDispatch::Http::UploadedFile:0x007f8901918700 @tempfile=#<Tempfile:/var/folders/0f/0gn/T/RackMultipart20161117-29277-msvds1.pdf>, @original_filename="Some-Awesome-File.pdf", @content_type="application/pdf", @headers="Content-Disposition: form-data; name=\"profile[transcripts_attributes][1479365203532][attachment][]\"; filename=\"Some-Awesome-File.pdf\"\r\nContent-Type: application/pdf\r\n">], "_destroy"=>"false"}}, "commit"=>"Create Profile"}
  User Load (2.8ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = $1 ORDER BY "users"."id" ASC LIMIT $2  [["id", 2], ["LIMIT", 1]]
  Role Load (1.3ms)  SELECT "roles".* FROM "roles" INNER JOIN "users_roles" ON "roles"."id" = "users_roles"."role_id" WHERE "users_roles"."user_id" = $1 AND (((roles.name = 'admin') AND (roles.resource_type IS NULL) AND (roles.resource_id IS NULL)))  [["user_id", 2]]
  Role Load (2.3ms)  SELECT "roles".* FROM "roles" INNER JOIN "users_roles" ON "roles"."id" = "users_roles"."role_id" WHERE "users_roles"."user_id" = $1 AND (((roles.name = 'coach') AND (roles.resource_type IS NULL) AND (roles.resource_id IS NULL)))  [["user_id", 2]]
  Role Load (2.5ms)  SELECT "roles".* FROM "roles" INNER JOIN "users_roles" ON "roles"."id" = "users_roles"."role_id" WHERE "users_roles"."user_id" = $1 AND (((roles.name = 'player') AND (roles.resource_type IS NULL) AND (roles.resource_id IS NULL)))  [["user_id", 2]]
   (3.9ms)  SELECT COUNT(*) FROM "roles" INNER JOIN "users_roles" ON "roles"."id" = "users_roles"."role_id" WHERE "users_roles"."user_id" = $1 AND (((roles.name = 'admin') AND (roles.resource_type IS NULL) AND (roles.resource_id IS NULL)) OR ((roles.name = 'coach') AND (roles.resource_type IS NULL) AND (roles.resource_id IS NULL)))  [["user_id", 2]]
Unpermitted parameter: attachment
  Tournament Load (1.1ms)  SELECT "tournaments".* FROM "tournaments" WHERE "tournaments"."id" = 1
   (5.0ms)  SELECT COUNT(*) FROM "profiles" INNER JOIN "profiles_tournaments" ON "profiles"."id" = "profiles_tournaments"."profile_id" WHERE "profiles_tournaments"."tournament_id" = $1  [["tournament_id", 1]]
   (0.9ms)  BEGIN
   (1.5ms)  COMMIT
  Position Load (2.1ms)  SELECT "positions".* FROM "positions" WHERE 1=0
Unpermitted parameter: attachment
   (0.7ms)  BEGIN
  School Load (1.2ms)  SELECT  "schools".* FROM "schools" WHERE "schools"."id" = $1 LIMIT $2  [["id", 1], ["LIMIT", 1]]
  Profile Exists (3.7ms)  SELECT  1 AS one FROM "profiles" WHERE ("profiles"."id" IS NOT NULL) AND "profiles"."slug" = $1 LIMIT $2  [["slug", "jack-benimble-st-george-s-college"], ["LIMIT", 1]]
  SQL (23.3ms)  INSERT INTO "profiles" ("first_name", "last_name", "dob", "bib_color", "created_at", "updated_at", "player_type", "school_id", "grade", "slug", "home_phone", "cell_phone", "email") VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13) RETURNING "id"  [["first_name", "Jack"], ["last_name", "BeNimble"], ["dob", Mon, 17 Nov 1986], ["bib_color", ""], ["created_at", 2016-11-17 06:47:05 UTC], ["updated_at", 2016-11-17 06:47:05 UTC], ["player_type", 0], ["school_id", 1], ["grade", ""], ["slug", "jack-benimble-st-george-s-college"], ["home_phone", ""], ["cell_phone", ""], ["email", ""]]
  SQL (3.5ms)  INSERT INTO "transcripts" ("profile_id", "created_at", "updated_at") VALUES ($1, $2, $3) RETURNING "id"  [["profile_id", 46], ["created_at", 2016-11-17 06:47:05 UTC], ["updated_at", 2016-11-17 06:47:05 UTC]]
  Profile Load (2.8ms)  SELECT  "profiles".* FROM "profiles" WHERE "profiles"."id" = $1 LIMIT $2  [["id", 46], ["LIMIT", 1]]
  SQL (1.7ms)  INSERT INTO "profiles_tournaments" ("profile_id", "tournament_id") VALUES ($1, $2)  [["profile_id", 46], ["tournament_id", 1]]
   (2.6ms)  COMMIT
  Profile Store (150.2ms)  {"id":46}
  Profile Store (135.8ms)  {"id":46}
Unpermitted parameter: attachment
Redirected to http://localhost:3000/profiles/jack-benimble-st-george-s-college
Completed 302 Found in 499ms (Searchkick: 286.0ms | ActiveRecord: 91.8ms)

当我也为编辑操作执行此操作时，我看到了类似的内容。

请注意，在我的profile_params 中，我在两个地方声明了:attachment。在 transcript_attributes 散列中和普通属性列表中。

这可能是什么原因造成的？我错过了什么？

编辑 1

更新参数：

def profile_params
  params.require(:profile).permit(
    :id, :first_name, :last_name, :dob, :height, :weight,
    :bib_color, :parent_name, :sat_score, :video_url, :avatar,
    :remove_avatar, :avatar_cache, :player_type, :school_id, :grade, :email, 
    :cell_phone, :home_phone, tournament_ids: [], position_ids: [], 
    grades_attributes: [:id, :subject, :result, :grade_type, :_destroy], 
    achievements_attributes: [:id, :body, :achievement_type, :_destroy], 
    articles_attributes: [:id, :title, :url, :source, :_destroy], 
    videos_attributes: [:id, :url, :video, :vimeo_url, :vimeo_embed_code, :official, 
                        :video_cache, :remove_video, :_destroy], 
    transcripts_attributes: [:id, :url, :name, :attachment_data, :remove_transcript, 
                             :url_cache, :_destroy], 
    attachment: [])
end

【问题讨论】：

您能否展示一下这部分的外观：` `
附件是数组吗？
@LukaszMuzyka 上面第一行中已经说明了这一点：views/profiles/_transcript_fields.html.erb。
@marcamillion 抱歉错过了..

标签： ruby-on-rails ruby-on-rails-5 strong-parameters

【解决方案1】：

对于数组值，您必须这样声明它们。对于简单字符串数组，它可以是这个。

.permit(:foo, :bar, ..., attachment: [])

如果您有一个对象数组，您可以将对象的属性列入白名单

.permit(:foo, :bar, ..., attachment: [:prop1, :prop3])

顺便说一下：Hash and Array parameters。

【讨论】：

就是这样，所以我使用 Shrine gem 来处理上传。这要求我添加一个attribute_data，它是模型上的一个文本字段。所以在我的Transcript 模型上，我有这个：# attachment_data :text。这就是为什么在我的profile_params 中，我有transcripts_attributes: [:id, :url, :name, :attachment, :attachment_data, :remove_transcript, :url_cache, :_destroy]。请注意该列表中的attachment。
@marcamillion 我在该列表中看到了附件。我还看到了多选文件输入。
为了它，我将attachment: [] 添加到我的允许参数列表中，它仍然不起作用，仍然给我Unpermitted parameter: attachment 错误。
@marcamillion：你删除了另一个附件吗？并重启了服务器，以防万一？
嗯……不。好的，让我试试。编辑：好的，我刚试过......同样的问题。同样的错误。