Skip to content

permit password param on sign in#2440

Closed
nathantsoi wants to merge 1 commit intoheartcombo:rails4from
nathantsoi:rails4
Closed

permit password param on sign in#2440
nathantsoi wants to merge 1 commit intoheartcombo:rails4from
nathantsoi:rails4

Conversation

@nathantsoi
Copy link

@nathantsoi nathantsoi commented May 28, 2013

without this, I'm seeing:

Unpermitted parameters: password

@nathantsoi
permit password param on sign in
fd1abad 
without this, I'm seeing:

Unpermitted parameters: password
@latortuga
Copy link
Contributor

latortuga commented May 28, 2013

Can you supply your rails version, devise version, and a failing test?

@bitencode
Copy link

bitencode commented Jun 4, 2013

This is happening on my apps also. Rails 4.0.0.rc1, Device 3.0.0.rc. Using an existing user (email) and the correct password works fine. If you mis-type a user name (email address) or use a non-existent user or mis-type/use invalid password then when Devise goes to re-render the login form the password parameters is already in the params hash and the Unpermitted parameters: password error is raised.

@latortuga
Copy link
Contributor

latortuga commented Jun 4, 2013

I cannot reproduce this failure on the most up to date master. First, I created a user and then I POSTed to SessionsController with an incorrect email. No error is raised.

I have a few suspicions:

  • Have you overridden any controller actions?
  • Have you overridden in your model: #find_first_by_auth_conditions or #find_for_authentication?

@bitencode
Copy link

bitencode commented Jun 4, 2013

Hi @latortuga,
Thanks for looking into this.

  • I used to have some overridden controllers when I was using strong parameters in Rails 3.2 and Devise 2.x, but I have removed them with Rails 4.0 and Devise 3.0.
  • There are no overrides in the user model. (Unless Invitable is over-riding them - I haven't looked yet).

There error is not happening during the POST - it happens after the redirect and Devise::SessionController#new is processing.
I will also try to spend some time to hunt this down in my app, but I have a feature I have to finish today, so may be later...

Here is a backtrace in case it helps:

I, [2013-06-04T10:35:23.514225 #50530]  INFO -- : Started GET "/users/sign_in" for 127.0.0.1 at 2013-06-04 10:35:23 -0700
I, [2013-06-04T10:35:23.518522 #50530]  INFO -- : Processing by Devise::SessionsController#new as HTML
I, [2013-06-04T10:35:23.527508 #50530]  INFO -- :   Rendered devise/shared/_links.html.slim (1.2ms)
I, [2013-06-04T10:35:23.533145 #50530]  INFO -- :   Rendered devise/sessions/new.html.slim within layouts/application (7.6ms)
I, [2013-06-04T10:35:23.542834 #50530]  INFO -- :   Rendered layouts/_common_head.html.slim (8.6ms)
I, [2013-06-04T10:35:23.547888 #50530]  INFO -- :   Rendered layouts/_navigation.html.slim (3.5ms)
I, [2013-06-04T10:35:23.602523 #50530]  INFO -- :   Rendered layouts/_messages.html.slim (0.7ms)
I, [2013-06-04T10:35:23.603282 #50530]  INFO -- : Completed 200 OK in 84ms (Views: 80.8ms)
D, [2013-06-04T10:35:27.788350 #50530] DEBUG -- :
D, [2013-06-04T10:35:27.788483 #50530] DEBUG -- :
I, [2013-06-04T10:35:27.788585 #50530]  INFO -- : Started POST "/users/sign_in" for 127.0.0.1 at 2013-06-04 10:35:27 -0700
I, [2013-06-04T10:35:27.792400 #50530]  INFO -- : Processing by Devise::SessionsController#create as HTML
I, [2013-06-04T10:35:27.792483 #50530]  INFO -- :   Parameters: {"utf8"=>"✓", "authenticity_token"=>"<auth_token>", "user"=>{"email"=>"person@example.com", "password"=>"[FILTERED]"}}
D   User Load (0.9ms)  SELECT "users".* FROM "users" WHERE "users"."email" = 'person@example.com' LIMIT 1
I, [2013-06-04T10:35:27.890896 #50530]  INFO -- : Completed 401 Unauthorized in 98ms
I, [2013-06-04T10:35:27.898309 #50530]  INFO -- : Processing by Devise::SessionsController#new as HTML
I, [2013-06-04T10:35:27.898509 #50530]  INFO -- :   Parameters: {"utf8"=>"✓", "authenticity_token"=>"<auth_token>", "user"=>{"email"=>"person@example.com", "password"=>"[FILTERED]"}}
I, [2013-06-04T10:35:27.900067 #50530]  INFO -- : Completed 500 Internal Server Error in 1ms
F, [2013-06-04T10:35:27.904713 #50530] FATAL -- :
ActionController::UnpermittedParameters - found unpermitted parameters: password:
  actionpack (4.0.0.rc1) lib/action_controller/metal/strong_parameters.rb:348:in `unpermitted_parameters!'
  actionpack (4.0.0.rc1) lib/action_controller/metal/strong_parameters.rb:259:in `permit'
  devise (3.0.0.rc) lib/devise/parameter_sanitizer.rb:44:in `sign_in'
  devise (3.0.0.rc) lib/devise/parameter_sanitizer.rb:37:in `fallback_for'
  devise (3.0.0.rc) lib/devise/parameter_sanitizer.rb:17:in `for'
  devise (3.0.0.rc) app/controllers/devise/sessions_controller.rb:38:in `sign_in_params'
  devise (3.0.0.rc) app/controllers/devise/sessions_controller.rb:8:in `new'
  actionpack (4.0.0.rc1) lib/action_controller/metal/implicit_render.rb:4:in `send_action'
  actionpack (4.0.0.rc1) lib/abstract_controller/base.rb:189:in `process_action'
  actionpack (4.0.0.rc1) lib/action_controller/metal/rendering.rb:10:in `process_action'
  actionpack (4.0.0.rc1) lib/abstract_controller/callbacks.rb:18:in `block in process_action'
  activesupport (4.0.0.rc1) lib/active_support/callbacks.rb:472:in `_run__1225015835375286806__process_action__callbacks'
  activesupport (4.0.0.rc1) lib/active_support/callbacks.rb:80:in `run_callbacks'
  actionpack (4.0.0.rc1) lib/abstract_controller/callbacks.rb:17:in `process_action'
  actionpack (4.0.0.rc1) lib/action_controller/metal/rescue.rb:29:in `process_action'
  actionpack (4.0.0.rc1) lib/action_controller/metal/instrumentation.rb:31:in `block in process_action'
  activesupport (4.0.0.rc1) lib/active_support/notifications.rb:159:in `block in instrument'
  activesupport (4.0.0.rc1) lib/active_support/notifications/instrumenter.rb:20:in `instrument'
  activesupport (4.0.0.rc1) lib/active_support/notifications.rb:159:in `instrument'
  actionpack (4.0.0.rc1) lib/action_controller/metal/instrumentation.rb:30:in `process_action'
  actionpack (4.0.0.rc1) lib/action_controller/metal/params_wrapper.rb:245:in `process_action'
  actionpack (4.0.0.rc1) lib/abstract_controller/base.rb:136:in `process'
  actionpack (4.0.0.rc1) lib/abstract_controller/rendering.rb:44:in `process'
  actionpack (4.0.0.rc1) lib/action_controller/metal.rb:195:in `dispatch'
  actionpack (4.0.0.rc1) lib/action_controller/metal/rack_delegation.rb:13:in `dispatch'
  actionpack (4.0.0.rc1) lib/action_controller/metal.rb:231:in `block in action'
  devise (3.0.0.rc) lib/devise/failure_app.rb:51:in `recall'
  devise (3.0.0.rc) lib/devise/failure_app.rb:35:in `respond'
  actionpack (4.0.0.rc1) lib/abstract_controller/base.rb:189:in `process_action'
  actionpack (4.0.0.rc1) lib/abstract_controller/base.rb:136:in `process'
  actionpack (4.0.0.rc1) lib/action_controller/metal.rb:195:in `dispatch'
  actionpack (4.0.0.rc1) lib/action_controller/metal/rack_delegation.rb:13:in `dispatch'
  actionpack (4.0.0.rc1) lib/action_controller/metal.rb:231:in `block in action'
  devise (3.0.0.rc) lib/devise/failure_app.rb:20:in `call'
  devise (3.0.0.rc) lib/devise/delegator.rb:5:in `call'
  warden (1.2.1) lib/warden/manager.rb:130:in `call_failure_app'
  warden (1.2.1) lib/warden/manager.rb:116:in `process_unauthenticated'
  warden (1.2.1) lib/warden/manager.rb:47:in `call'
  rack (1.5.2) lib/rack/etag.rb:23:in `call'
  rack (1.5.2) lib/rack/conditionalget.rb:35:in `call'
  rack (1.5.2) lib/rack/head.rb:11:in `call'
  actionpack (4.0.0.rc1) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
  actionpack (4.0.0.rc1) lib/action_dispatch/middleware/flash.rb:241:in `call'
  rack (1.5.2) lib/rack/session/abstract/id.rb:225:in `context'
  rack (1.5.2) lib/rack/session/abstract/id.rb:220:in `call'
  actionpack (4.0.0.rc1) lib/action_dispatch/middleware/cookies.rb:486:in `call'
  actionpack (4.0.0.rc1) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
  activesupport (4.0.0.rc1) lib/active_support/callbacks.rb:392:in `_run__1361239119892892277__call__callbacks'
  activesupport (4.0.0.rc1) lib/active_support/callbacks.rb:80:in `run_callbacks'
  actionpack (4.0.0.rc1) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  actionpack (4.0.0.rc1) lib/action_dispatch/middleware/reloader.rb:64:in `call'
  actionpack (4.0.0.rc1) lib/action_dispatch/middleware/remote_ip.rb:76:in `call'
  better_errors (0.9.0) lib/better_errors/middleware.rb:84:in `protected_app_call'
  better_errors (0.9.0) lib/better_errors/middleware.rb:79:in `better_errors_call'
  better_errors (0.9.0) lib/better_errors/middleware.rb:56:in `call'
  actionpack (4.0.0.rc1) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
  actionpack (4.0.0.rc1) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
  railties (4.0.0.rc1) lib/rails/rack/logger.rb:38:in `call_app'
  railties (4.0.0.rc1) lib/rails/rack/logger.rb:23:in `call'
  config/initializers/logger_additions.rb:5:in `call_with_quiet_assets'
  actionpack (4.0.0.rc1) lib/action_dispatch/middleware/request_id.rb:21:in `call'
  rack (1.5.2) lib/rack/methodoverride.rb:21:in `call'
  rack (1.5.2) lib/rack/runtime.rb:17:in `call'
  activesupport (4.0.0.rc1) lib/active_support/cache/strategy/local_cache.rb:83:in `call'
  rack (1.5.2) lib/rack/lock.rb:17:in `call'
  actionpack (4.0.0.rc1) lib/action_dispatch/middleware/static.rb:64:in `call'
  railties (4.0.0.rc1) lib/rails/engine.rb:511:in `call'
  railties (4.0.0.rc1) lib/rails/application.rb:96:in `call'
  rack (1.5.2) lib/rack/content_length.rb:14:in `call'
  puma (2.0.1) lib/puma/server.rb:364:in `handle_request'
  puma (2.0.1) lib/puma/server.rb:243:in `process_client'
  puma (2.0.1) lib/puma/server.rb:142:in `block in run'
  puma (2.0.1) lib/puma/thread_pool.rb:92:in `block in spawn_thread'

@latortuga latortuga mentioned this pull request Jun 4, 2013
Merged
@josevalim josevalim closed this Jul 9, 2013
@moritzhoeppner moritzhoeppner mentioned this pull request Nov 29, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nathantsoi @latortuga @bitencode @josevalim