ruby-on-railsrubysessionruby-on-rails-7

Rails: Unpermitted parameters: :authenticity_token, :order, :commit. after upgrade


I am upgrading a functional app from Ruby 1.8.7 Rails 3 to Ruby 3 Rails 7: quite a journey and I am almost finished. But I have an order process, which is not running after the upgrade and is difficult for me to debug. The order process consists in a multistep form, rendered through partials and a create function in my Order controller.

In the first step of the multistep form you have to input the shipping details. When trying to get to the next step, I get the following error message in the server log: Unpermitted parameters: :authenticity_token, :order, :commit. Context: ... etc and the note that all validations have failed is rendered in my website.

Started POST "/orders" for ::1 at 2022-02-22 17:24:01 +0100
Processing by OrdersController#create as HTML
  Parameters: {"authenticity_token"=>"[FILTERED]", "order"=>{"email"=>"name@example.com", "phone_number"=>"1234567", "ship_to_first_name"=>"John", "ship_to_last_name"=>"Doe", "ship_to_address"=>"Pennsylvania Avenue 12", "ship_to_city"=>"Houston", "ship_to_postal_code"=>"12345", "land_id"=>"112", "shipping_service_id"=>"50"}, "commit"=>"Continue"}
  Cart Load (0.3ms)  SELECT `carts`.* FROM `carts` WHERE `carts`.`id` = 4 LIMIT 1
  ↳ app/controllers/application_controller.rb:66:in `initialize_cart'
Unpermitted parameters: :authenticity_token, :order, :commit. Context: {controller: OrdersController, action: create, request: #<ActionDispatch::Request:0x00007fee489e8e30>, params: {"authenticity_token"=>"[FILTERED]", "order"=>{"email"=>"name@example.com", "phone_number"=>"1234567", "ship_to_first_name"=>"John", "ship_to_last_name"=>"Doe", "ship_to_address"=>"Pennsylvania Avenue 12", "ship_to_city"=>"Houston", "ship_to_postal_code"=>"12345", "land_id"=>"112", "shipping_service_id"=>"50"}, "commit"=>"Continue", "controller"=>"orders", "action"=>"create"} }
  CartItem Load (0.4ms)  SELECT `cart_items`.* FROM `cart_items` WHERE `cart_items`.`cart_id` = 4
  ↳ app/models/cart.rb:86:in `inject'
  ....

This is the same process in the old app.

Started POST "/orders" for 127.0.0.1 at Tue Feb 22 10:02:12 +0100 2022
Processing by OrdersController#create as HTML
  Parameters: {"authenticity_token"=>"sometoken", "order"=>{"email"=>"name@example.com", "ship_to_first_name"=>"John", "ship_to_address"=>"Pennsylvania Avenue 12", "ship_to_city"=>"Houston", "land_id"=>"112", "ship_to_last_name"=>"Doe", "ship_to_postal_code"=>"12345", "phone_number"=>"1234567", "shipping_service_id"=>"1"}, "commit"=>"Continue", "utf8"=>"✓"}
  Cart Load (0.3ms)  SELECT `carts`.* FROM `carts` WHERE `carts`.`id` = ? LIMIT 1  [["id", 6255]]
  CartItem Load (0.8ms)  SELECT `cart_items`.* FROM `cart_items` WHERE `cart_items`.`cart_id` = 6255
  ActiveShippingHub Load (0.3ms)  SELECT `active_shipping_hubs`.* FROM `active_shipping_hubs` LIMIT 1
   (0.5ms)  SELECT MAX(`cart_items`.`length`) AS max_id FROM `cart_items` WHERE `cart_items`.`cart_id` = 6255
   (0.5ms)  SELECT MAX(`cart_items`.`width`) AS max_id FROM `cart_items` WHERE `cart_items`.`cart_id` = 6255
  Rendered shared/_error_messages.html.erb (0.1ms)
  Land Load (0.6ms)  SELECT `lands`.* FROM `lands` WHERE `lands`.`id` = 112 LIMIT 1
  ShippingService Load (0.5ms)  SELECT `shipping_services`.* FROM `shipping_services` WHERE `shipping_services`.`id` = 1 LIMIT 1
  ProductVariant Load (0.3ms)  SELECT `product_variants`.* FROM `product_variants` WHERE `product_variants`.`id` = 14 LIMIT 1
  Image Load (0.3ms)  SELECT `images`.* FROM `images` WHERE `images`.`id` = 174 LIMIT 1
  Rendered orders/_paymentoptions_step.html.erb (10.6ms)
  Rendered orders/new.html.erb within layouts/application (14.0ms)
  Rendered layouts/_header.html.erb (0.1ms)
  Rendered layouts/_footer.html.erb (0.5ms)
Completed 200 OK in 68ms (Views: 20.9ms | ActiveRecord: 26.9ms)

My Order create action starts with

  def create
    session[:order_params].deep_merge!(order_params) if params[:order]
    @order = Order.new(session[:order_params])
    @shipping_services = @cart.available_shipping_services.joins(:lands).where(lands: {id: @order.land_id})
    @order.customer_ip = request.remote_ip 
    populate_order
    @order.current_step = session[:order_step]
    ...

I have set the order_params in the same controller as strong params:

...
  private

  def order_params
    params.permit(:bill_to_address, :bill_to_city, :bill_to_first_name, :bill_to_last_name, :bill_to_land, :bill_to_land_id, :bill_to_postal_code, :date_payment_reminder, :email, :EULA, :express_token, :land_id, :payment, :date_payment_reminder, :phone_number, :signupnewsletter, :ship_to_address, :ship_to_city, :ship_to_first_name, :ship_to_last_name, :ship_to_postal_code, :shipping_service, :shipping_service_id, :shipping_date, :tracking_number, :order_status, :order_status_id, :stripe_card_token, :TOS)
  end
end

I am not sure why I get this error. The use of strong_parameters in newer versions of Rails or the way associations are now verified?

When I turn off all validations in my Order model I still get the same message in my logs, but get the message, that there were problems with the shipping_land, shipping_service and bill_to_land fields: three associations of my Order model.

The associations are set in my Order model as follows:

# Associations
  belongs_to :bill_to_land, class_name: "Land", foreign_key: :bill_to_land_id
  belongs_to :land, foreign_key: :land_id
  belongs_to :order_status
  belongs_to :shipping_service

The multistep form is set in orders/new.html.erb

<%= form_for @order do |f| %>
  <%= render "#{@order.current_step}_step", :f => f %>
<%= f.submit "Continue" unless @order.payment_options_step? || @order.billing_step? || @order.creditcard_options_step? || @order.last_step? %>

In the multistep form I only gather data and kick this data between steps in the session. The order entry is created only after the final submit.

Why do I get this error message? How can I debug the order session? What data has been written to it...

I hope someone can put me into the right direction.


Solution

  • private
      def order_params
        params.require(:order).permit(:bill_to_address, :bill_to_city, :bill_to_first_name, :bill_to_last_name, :bill_to_land, 
                                      :bill_to_land_id, :bill_to_postal_code, :date_payment_reminder, :email, :EULA, :express_token, :land_id, :payment, :date_payment_reminder, :phone_number, :signupnewsletter, :ship_to_address, :ship_to_city, :ship_to_first_name, :ship_to_last_name, :ship_to_postal_code, :shipping_service, :shipping_service_id, :shipping_date, :tracking_number, :order_status, :order_status_id, :stripe_card_token, :TOS)
      end
    end