I don't think you should be worried about lat and long being outside of the
locations. What is the worst thing that can happen? You have to make a
judgement based on the application requirements.
On Friday, December 13, 2013 7:36:27 PM UTC-8, Derek Chadwell wrote:
>
> I am using the addresspicker jquery to get a user address. The user
> address fields and hidden fields for latitude and longitude are in
> fields_for ":Locations". In order for the jquery callback to fill in my
> latitude and longitude boxes I have to use the ":name=>" tag on the fields.
> When I do this, my form is posted with the latitude and longitude fields
> outside the :Locations structure. As a result, I can't use ".permit()" on
> them and I'm worried that I'm leaving my program vulnerable.
>
> the data structure sent to rails via the POST:
>
> "utf8"=>"✓",
> "authenticity_token"=>"VIp6TnK7UoVEfELzwUhkbdySp/k4NhMtjdlRIWcgVaY=",
> "user"=>{"first_name"=>"firstname",
> "last_name"=>"lastname",
> "email_address"=>"[email protected] <javascript:>",
> "password"=>"[FILTERED]",
> "password_confirmation"=>"[FILTERED]"},
> "Locations"=>{"location"=>"Bugs bunnies Rabbit hole, Albequerque, NM, United
> States"},
> "lat"=>"39.988052",
> "lng"=>"-28.817452",
> "commit"=>"Creating a user"}
>
>
>
>
> The forms and corresponding javascript:
>
> 41 <div class="span5">
> 42 <%= form_for @user do |f| %>
> 43 <legend>Create Your Account</legend>
> 44 <%= f.label :first_name %>
> 45 <%= f.text_field :first_name, :placeholder => "First Name" %>
> 46
> 47 <%= f.label :last_name %>
> 48 <%= f.text_field :last_name, :placeholder => "Last Name"%>
> 49
> 50 <%= f.label :email_address %>
> 51 <%= f.text_field :email_address, :placeholder =>
> "[email protected]" %>
> 52
> 53 <%= f.label :password %>
> 54 <%= f.password_field :password, :placeholder => "Minimum six
> characters" %>
> 55
> 56 <%= f.label :password_confirmation, "Confirm Password" %>
> 57 <%= f.password_field :password_confirmation %>
> 58
> 59 <label>
> 60 Where you would like to find volunteer opportunities
> 61 </label>
> 62 <%= fields_for :Locations do |l| %>
> 63 <%= l.text_field :location, :placeholder => "e.g. 27370 or
> Archdale, NC", :id => "geocomplete", :class => "ui-autocomplete-input",
> :autocomplete=>"off"%>
> 64
> 65 <%= l.text_field :latitude, :name => "lat" %>
> 66 <%= l.text_field :longitude, :name => "lng" %>
> 67 <% end %>
> 68 <br>
> 69 <%= f.submit "Let's do it!", :class => "btn btn-large
> btn-success" %>
> 70 <% end %>
> 71
> 72 </div>
> 73 </div>
> 74 </div>
> 75
> 76 <script src="
> http://maps.googleapis.com/maps/api/js?sensor=false&libraries=places<http://maps.googleapis.com/maps/api/js?sensor=false&libraries=places>
> "></script>
> 77 <script src="
> http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js";></script>
> 78 <script src="/assets/jquery.geocomplete.js?body=1"></script>
> 79 <script>
> 80 $(function(){
> 81 $("#geocomplete").geocomplete({
> 82 details: "form",
> 83 types: ["geocode", "establishment"]
> 84 });
> 85
> 86 });
> 87 </script>
>
>
> my controller as it stands now:
>
> 1 class UsersController < ApplicationController
> 2
> 3 def create
> 4 @user = User.new(params[:user].permit(:first_name, :last_name,
> :password,
> 5 :password_confirmation,
> :email_address))
> 6 @user.confirmation = _random_string()
> 7 @location =
> @user.Locations.build(params[:Locations].permit(:location))
> 8 @location.coordinates = [params[:lng],params[:lat]]
> 9 @location.distance = 50
> 10
> 11 if not @user.save
> 12 flash[:notice] = "user not saved"
> 13 render "/static_pages/homepage"
> 14 return
> 15 end
>
> The javascript is awfully long so I won't post it here, but it can be
> viewed at https://github.com/ubilabs/geocomplete/ . I think all you
> would need to know about it is that it defines attributes for a found
> google address and then fills in fields on a page whose names match the
> attribute names in the jquery. Of those, I am only interested in "lat" and
> "lng" for now.
>
> My question is around the right way to do this. Should I do something to
> force the "lat" and "lng" variables into the Locations hash so I can
> .permit() those keys and keep my program safe? Should I not worry about it
> and soldier on? Is there something inherently wrong with my use of the
> name symbols with the fields_for functionality? A consult is very welcome.
>
>
>
>
>
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/rubyonrails-talk/f5ffd78b-3b3e-4cc9-8964-df7790e7097a%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
