Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Nested attributes unpermitted parameters

Tags:

ruby-on-rails

ruby-on-rails-4

Seems there is a change in handling of attribute protection and now you must whitelist params in the controller (instead of attr_accessible in the model) because the former optional gem strong_parameters became part of the Rails Core.

This should look something like this:

class PeopleController < ActionController::Base
  def create
    Person.create(person_params)
  end

private
  def person_params
    params.require(:person).permit(:name, :age)
  end
end

So params.require(:model).permit(:fields) would be used

and for nested attributes something like 

params.require(:person).permit(:name, :age, pets_attributes: [:id, :name, :category])

Some more details can be found in the Ruby edge API docs and strong_parameters on github or here


From the docs

To whitelist an entire hash of parameters, the permit! method can be used

params.require(:log_entry).permit!

Nested attributes are in the form of a hash. In my app, I have a Question.rb model accept nested attributes for an Answer.rb model (where the user creates answer choices for a question he creates). In the questions_controller, I do this

  def question_params

      params.require(:question).permit!

  end

Everything in the question hash is permitted, including the nested answer attributes. This also works if the nested attributes are in the form of an array.

Having said that, I wonder if there's a security concern with this approach because it basically permits anything that's inside the hash without specifying exactly what it is, which seems contrary to the purpose of strong parameters.


or you can simply use 

def question_params

  params.require(:question).permit(team_ids: [])

end

Actually there is a way to just white-list all nested parameters.

params.require(:widget).permit(:name, :description).tap do |whitelisted|
  whitelisted[:position] = params[:widget][:position]
  whitelisted[:properties] = params[:widget][:properties]
end

This method has advantage over other solutions. It allows to permit deep-nested parameters.

While other solutions like: 

params.require(:person).permit(:name, :age, pets_attributes: [:id, :name, :category])

Don't.

Source:

https://github.com/rails/rails/issues/9454#issuecomment-14167664

Related questions

Change from SQLite to PostgreSQL in a fresh Rails project
How to create has_and_belongs_to_many associations in Factory girl
What is the best way to clear a session variable in rails?
RSpec: how to test if a method was called?
Block comments in html.erb templates in rails
How can I see the SQL that will be generated by a given ActiveRecord query in Ruby on Rails
Why escape_javascript before rendering a partial?
Can not connect to local PostgreSQL
Rails: Why does find(id) raise an exception in rails? [duplicate]
Rspec, Rails: how to test private methods of controllers?
How to run Rails console in the test environment and load test_helper.rb?
ActiveRecord: List columns in table from console
Convert duration to hours:minutes:seconds (or similar) in Rails 3 or Ruby
rails - Devise - Handling - devise_error_messages
How to load db:seed data into test database automatically?
Can you do greater than comparison on a date in a Rails 3 search?
Build vs new in Rails 3
You have already activated rake 0.9.0, but your Gemfile requires rake 0.8.7
What does rake db:test:prepare actually do?
In Rails, how do you render JSON using a view?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!