I am using the addresspicker jquery to get a user address. The user
address fields and hidden fields for latitude and longitude are in
fields_for ":Locations". In order for the jquery callback to fill in my
latitude and longitude boxes I have to use the ":name=>" tag on the fields.
When I do this, my form is posted with the latitude and longitude fields
outside the :Locations structure. As a result, I can't use ".permit()" on
them and I'm worried that I'm leaving my program vulnerable.
the data structure sent to rails via the POST:
"utf8"=>"✓",
"authenticity_token"=>"VIp6TnK7UoVEfELzwUhkbdySp/k4NhMtjdlRIWcgVaY=",
"user"=>{"first_name"=>"firstname",
"last_name"=>"lastname",
"email_address"=>"[email protected]",
"password"=>"[FILTERED]",
"password_confirmation"=>"[FILTERED]"},
"Locations"=>{"location"=>"Bugs bunnies Rabbit hole, Albequerque, NM, United
States"},
"lat"=>"39.988052",
"lng"=>"-28.817452",
"commit"=>"Creating a user"}
The forms and corresponding javascript:
41 <div class="span5">
42 <%= form_for @user do |f| %>
43 <legend>Create Your Account</legend>
44 <%= f.label :first_name %>
45 <%= f.text_field :first_name, :placeholder => "First Name" %>
46
47 <%= f.label :last_name %>
48 <%= f.text_field :last_name, :placeholder => "Last Name"%>
49
50 <%= f.label :email_address %>
51 <%= f.text_field :email_address, :placeholder =>
"[email protected]" %>
52
53 <%= f.label :password %>
54 <%= f.password_field :password, :placeholder => "Minimum six
characters" %>
55
56 <%= f.label :password_confirmation, "Confirm Password" %>
57 <%= f.password_field :password_confirmation %>
58
59 <label>
60 Where you would like to find volunteer opportunities
61 </label>
62 <%= fields_for :Locations do |l| %>
63 <%= l.text_field :location, :placeholder => "e.g. 27370 or
Archdale, NC", :id => "geocomplete", :class => "ui-autocomplete-input",
:autocomplete=>"off"%>
64
65 <%= l.text_field :latitude, :name => "lat" %>
66 <%= l.text_field :longitude, :name => "lng" %>
67 <% end %>
68 <br>
69 <%= f.submit "Let's do it!", :class => "btn btn-large
btn-success" %>
70 <% end %>
71
72 </div>
73 </div>
74 </div>
75
76 <script
src="http://maps.googleapis.com/maps/api/js?sensor=false&libraries=places";></script>
77 <script
src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js";></script>
78 <script src="/assets/jquery.geocomplete.js?body=1"></script>
79 <script>
80 $(function(){
81 $("#geocomplete").geocomplete({
82 details: "form",
83 types: ["geocode", "establishment"]
84 });
85
86 });
87 </script>
my controller as it stands now:
1 class UsersController < ApplicationController
2
3 def create
4 @user = User.new(params[:user].permit(:first_name, :last_name,
:password,
5 :password_confirmation,
:email_address))
6 @user.confirmation = _random_string()
7 @location =
@user.Locations.build(params[:Locations].permit(:location))
8 @location.coordinates = [params[:lng],params[:lat]]
9 @location.distance = 50
10
11 if not @user.save
12 flash[:notice] = "user not saved"
13 render "/static_pages/homepage"
14 return
15 end
The javascript is awfully long so I won't post it here, but it can be
viewed at https://github.com/ubilabs/geocomplete/ . I think all you would
need to know about it is that it defines attributes for a found google
address and then fills in fields on a page whose names match the attribute
names in the jquery. Of those, I am only interested in "lat" and "lng" for
now.
My question is around the right way to do this. Should I do something to
force the "lat" and "lng" variables into the Locations hash so I can
.permit() those keys and keep my program safe? Should I not worry about it
and soldier on? Is there something inherently wrong with my use of the
name symbols with the fields_for functionality? A consult is very welcome.
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/rubyonrails-talk/c548aa3e-c7b1-4c32-b718-f342f7cb56a3%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
