[Rails] Re: rails form_for + address picker jquery creates odd parameter format for post

I don't think you should be worried about lat and long being outside of the locations. What is the worst thing that can happen? You have to make a judgement based on the application requirements.

On Friday, December 13, 2013 7:36:27 PM UTC-8, Derek Chadwell wrote:

I am using the addresspicker jquery to get a user address.  The user address fields and hidden fields for latitude and longitude are in fields_for ":Locations".  In order for the jquery callback to fill in my latitude and longitude boxes I have to use the ":name=>" tag on the fields.  When I do this, my form is posted with the latitude and longitude fields outside the :Locations structure.  As a result, I can't use ".permit()" on them and I'm worried that I'm leaving my program vulnerable.

the data structure sent to rails via the POST:

"utf8"=>"✓",   "authenticity_token"=>"VIp6TnK7UoVEfELzwUhkbdySp/k4NhMtjdlRIWcgVaY=",   "user"=>{"first_name"=>"firstname",   "last_name"=>"lastname",   "email_address"=>"fi...@last.com",   "password"=>"[FILTERED]",   "password_confirmation"=>"[FILTERED]"},   "Locations"=>{"location"=>"Bugs bunnies Rabbit hole, Albequerque, NM, United States"},   "lat"=>"39.988052",   "lng"=>"-28.817452",   "commit"=>"Creating a user"}

The forms and corresponding javascript:

41     <div class="span5">

 42       <%= form_for @user do |f| %>

 43         <legend>Create Your Account</legend>

 44         <%= f.label :first_name %>

 45         <%= f.text_field :first_name, :placeholder => "First Name" %>

 46

 47         <%= f.label :last_name %>

 48         <%= f.text_field :last_name, :placeholder => "Last Name"%>

 49

 50         <%= f.label :email_address %>

 51         <%= f.text_field :email_address, :placeholder => "you@location.domain" %>

 52

 53         <%= f.label :password %>

 54         <%= f.password_field :password, :placeholder => "Minimum six characters" %>

 55

 56         <%= f.label :password_confirmation, "Confirm Password" %>

 57         <%= f.password_field :password_confirmation %>

 58

 59         <label>

 60           Where you would like to find volunteer opportunities

 61         </label>

 62         <%= fields_for :Locations do |l| %>

 63           <%= l.text_field :location, :placeholder => "e.g. 27370 or Archdale, NC", :id => "geocomplete", :class => "ui-autocomplete-input", :autocomplete=>"off"%>

 64

 65           <%= l.text_field :latitude,  :name => "lat" %>

 66           <%= l.text_field :longitude, :name => "lng" %>

 67         <% end %>

 68         <br>

 69         <%= f.submit "Let's do it!", :class => "btn btn-large btn-success" %>

 70       <% end %>

 71

 72     </div>

 73     </div>

 74   </div>

 75

 76   <script src="http://maps.googleapis.com/maps/api/js?sensor=false&amp;libraries=places"></script>

 77   <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>

 78   <script src="/assets/jquery.geocomplete.js?body=1"></script>

 79     <script>

 80       $(function(){

 81         $("#geocomplete").geocomplete({

 82           details: "form",

 83           types: ["geocode", "establishment"]

 84         });

 85

 86       });

 87     </script>

my controller as it stands now:

  1 class UsersController < ApplicationController

  2

  3   def create

  4     @user = User.new(params[:user].permit(:first_name, :last_name, :password,

  5                                           :password_confirmation, :email_address))

  6     @user.confirmation = _random_string()

  7     @location = @user.Locations.build(params[:Locations].permit(:location))

  8     @location.coordinates = [params[:lng],params[:lat]]

  9     @location.distance = 50

 10

 11     if not @user.save

 12       flash[:notice] = "user not saved"

 13       render "/static_pages/homepage"

 14       return

 15     end

The javascript is awfully long so I won't post it here, but it can be viewed at https://github.com/ubilabs/geocomplete/ .  I think all you would need to know about it is that it defines attributes for a found google address and then fills in fields on a page whose names match the attribute names in the jquery.  Of those, I am only interested in "lat" and "lng" for now.

My question is around the right way to do this.  Should I do something to force the "lat" and "lng" variables into the Locations hash so I can .permit() those keys and keep my program safe?  Should I not worry about it and soldier on?  Is there something inherently wrong with my use of the name symbols with the fields_for functionality?  A consult is very welcome.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/f5ffd78b-3b3e-4cc9-8964-df7790e7097a%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.