Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-11240

"Can't mass-assign protected attributes for User" warnings in system-provider logs

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 2.14.0 GA
    • System
    • False
    • None
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started

      When modifying a user (creating a new user, changing the password, etc), warnings similar to the following appear in the system-provider logs.

      Changing admin user password

      Logging into the Admin Portal, navigating to Account Settings -> Personal -> Personal Details and changing the password causes the following warning:

      [7a6784b2-950b-4464-be2c-5304e3216be1] [3scale-admin.apps-crc.testing] [10.217.0.2] Started PATCH "/p/admin/user/personal_details" for 10.217.0.2 at 2024-08-07 01:54:11 +0000
[7a6784b2-950b-4464-be2c-5304e3216be1] [3scale-admin.apps-crc.testing] [10.217.0.2] Processing by Provider::Admin::User::PersonalDetailsController#update as HTML
[7a6784b2-950b-4464-be2c-5304e3216be1] [3scale-admin.apps-crc.testing] [10.217.0.2]   Parameters: {"authenticity_token"=>"[FILTERED]", "origin"=>"", "user"=>{"username"=>"admin", "email"=>"admin@3scale.apps-crc.testing", "password"=>"[FILTERED]", "current_password"=>"[FILTERED]"}, "button"=>""}
[7a6784b2-950b-4464-be2c-5304e3216be1] [3scale-admin.apps-crc.testing] [10.217.0.2] WARNING: Can't mass-assign protected attributes for User: current_password
    app/lib/fields/fields.rb:138:in `assign_attributes'
    lib/deadlock_retry.rb:52:in `transaction'
    app/controllers/provider/admin/user/personal_details_controller.rb:8:in `update'
    lib/three_scale/middleware/multitenant.rb:113:in `_call'
    lib/three_scale/middleware/multitenant.rb:108:in `call'
    lib/three_scale/middleware/cors.rb:21:in `call'

      Changing password through API

      Performing a PUT request against /admin/api/users/<user id>.xml with a new password causes the following warning:

      [bafed062-009d-404e-9ae6-eef085279d80] [3scale-admin.apps-crc.testing] [10.217.0.2] Started PUT "/admin/api/users/2.xml" for 10.217.0.2 at 2024-08-13 05:13:36 +0000
[bafed062-009d-404e-9ae6-eef085279d80] [3scale-admin.apps-crc.testing] [10.217.0.2] Processing by Admin::Api::UsersController#update as XML
[bafed062-009d-404e-9ae6-eef085279d80] [3scale-admin.apps-crc.testing] [10.217.0.2]   Parameters: {"access_token"=>"[FILTERED]", "password"=>"[FILTERED]", "id"=>"2", "user"=>{"password"=>"[FILTERED]"}}
[bafed062-009d-404e-9ae6-eef085279d80] [3scale-admin.apps-crc.testing] [10.217.0.2] PermissionEnforcer: level = rw
[bafed062-009d-404e-9ae6-eef085279d80] [3scale-admin.apps-crc.testing] [10.217.0.2] WARNING: Can't mass-assign protected attributes for User: id
        app/lib/fields/fields.rb:138:in `assign_attributes'
        app/lib/fields/extra_fields.rb:79:in `assign_unflattened_attributes'
        app/lib/fields/extra_fields.rb:74:in `update_with_flattened_attributes'
        app/controllers/admin/api/users_controller.rb:42:in `update'
        app/lib/api_authentication/by_access_token.rb:162:in `enforce'
        app/lib/api_authentication/by_access_token.rb:112:in `enforce_access_token_permission'
        app/controllers/admin/api/base_controller.rb:42:in `block in notification_center'
        lib/notification_center.rb:30:in `silent_about'
        app/controllers/application_controller.rb:147:in `silent_about'
        app/controllers/admin/api/base_controller.rb:41:in `notification_center'
        lib/three_scale/middleware/multitenant.rb:113:in `_call'
        lib/three_scale/middleware/multitenant.rb:108:in `call'
        lib/three_scale/middleware/cors.rb:21:in `call'

      Registering a new user

      Logging into the Admin Portal, navigating to Audience -> Create, and creating a new account causes the following warning:

      [96ac8826-c358-4b62-a6ff-d4a849fc5646] [3scale-admin.apps-crc.testing] [10.217.0.2] Started GET "/buyers/accounts/new" for 10.217.0.2 at 2024-08-07 01:54:46 +0000
[96ac8826-c358-4b62-a6ff-d4a849fc5646] [3scale-admin.apps-crc.testing] [10.217.0.2] Processing by Buyers::AccountsController#new as HTML
[96ac8826-c358-4b62-a6ff-d4a849fc5646] [3scale-admin.apps-crc.testing] [10.217.0.2] WARNING: Can't mass-assign protected attributes for User: role
    app/lib/fields/fields.rb:138:in `assign_attributes'
    config/initializers/state_machines_protected_attributes.rb:9:in `initialize'
    app/lib/fields/fields.rb:119:in `initialize'
    app/lib/fields/extensions.rb:9:in `build_with_fields'
    app/controllers/buyers/accounts_controller.rb:30:in `new'
    lib/three_scale/middleware/multitenant.rb:113:in `_call'
    lib/three_scale/middleware/multitenant.rb:108:in `call'
    lib/three_scale/middleware/cors.rb:21:in `call'

      The warnings seem similar to the one mentioned in THREESCALE-9437, but the attribute will change depending on the operation (current_password when changing password, role when registering a new user, id when changing the password via API).

      The warning does not seem to affect the operation of 3scale.

      From the comment below, we see that these warnings can be safely ignored. They occur because the UI is sending parameters to the controller that are not on the "permitted" list.

      It would be nice to not "warn" the user about this case.

              Unassigned Unassigned
              rhn-support-iwalker Ian Walker
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: