サーバーサイドのオートコンプリートリソースに強いパラメータを使用して

Question

を再生します。但し、attr_accessibleが廃止されたRails 5を使用している点を除いてthis railscastで再生します。 VenueSuggestionは、ユーザーがフォームの関連フィールドに何かを入力すると、db内の会場を提案するためのリソースです。私が今直面している問題は、dbの内容と一致するものを入力し始めると、検索結果がないことです。

モデル：

class VenueSuggestion < ApplicationRecord 

    # should anything go in place of attr_accessible? 

    def self.terms_for(prefix) 
    suggestions = where("term like ?", "#{prefix}_%") 
    suggestions.order("popularity desc").limit(10).pluck(:term) 
    end 

    def self.index_venues 
    Venue.find_each do |venue| 
     index_term(venue.name) 
     index_term(venue.address) 
     venue.name.split.each { |t| index_term(t) } 
    end 
    end 

    def self.index_term(term) 
    where(term: term.downcase).first_or_initialize.tap do |suggestion| 
     suggestion.increment! :popularity 
    end 
    end 
end 

コントローラ：

class VenueSuggestionsController < ApplicationController 
    #is this right? 
    def create 
    VenueSuggestion.create(params[:venue_suggestion]) 
    end 

    def index 
    render json: VenueSuggestion.terms_for(params[:term]) 
    end 

    # is this right? 
    private 
     def venue_suggestion_params 
      params.require(:venue_suggestion).permit(:term, :popularity) 
     end 
end 

rakeタスク：

namespace :venue_suggestions do 
    desc "Generate venue suggestions for event form" 
    task :index => :environment do 
    VenueSuggestion.index_venues 
    end 
end 

ログに示すもの：

Started GET "/venue_suggestions?term=sp" for ::1 at 2016-05-25 21:27:31 -0400 
Processing by VenueSuggestionsController#index as JSON 
    Parameters: {"term"=>"sp"} 
    (1.4ms) SELECT "venue_suggestions"."term" FROM "venue_suggestions" WHERE (term like 'sp_%') ORDER BY popularity desc LIMIT $1 [["LIMIT", 10]] 
[active_model_serializers] Rendered ActiveModel::Serializer::CollectionSerializer with ActiveModelSerializers::Adapter::Attributes (0.06ms) 
Completed 200 OK in 4ms (Views: 0.6ms | ActiveRecord: 1.4ms) 

Answer 1

強力なparams機能は、エンドユーザー割り当てから属性を保護するためのインターフェイスを提供します。これにより、アクションコントローラのパラメータは、ホワイトリストに登録されるまでアクティブモデルの質量割り当てで使用することを禁止されます。

class PeopleController < ActionController::Base 
    # Using "Person.create(params[:person])" would raise an 
    # ActiveModel::ForbiddenAttributes exception because it'd 
    # be using mass assignment without an explicit permit step. 
    # This is the recommended form: 
    def create 
    Person.create(person_params) 
    end 

    # This will pass with flying colors as long as there's a person key in the 
    # parameters, otherwise it'll raise an ActionController::MissingParameter 
    # exception, which will get caught by ActionController::Base and turned 
    # into a 400 Bad Request reply. 
    def update 
    redirect_to current_account.people.find(params[:id]).tap { |person| 
     person.update!(person_params) 
    } 
    end 

    private 
    # Using a private method to encapsulate the permissible parameters is 
    # just a good pattern since you'll be able to reuse the same permit 
    # list between create and update. Also, you can specialize this method 
    # with per-user checking of permissible attributes. 
    def person_params 
     params.require(:person).permit(:name, :age) 
    end 
end 

params = ActionController::Parameters.new(venue_suggestion: { term: "something" }) 

源のように、あなたが何かをvenue_suggestions内の用語を指定する必要がありますことを忘れないでください：http://edgeapi.rubyonrails.org/classes/ActionController/StrongParameters.html