Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should we use strong params when we update only one attribute?

I'm working on a Rails app and I have several actions( #delete_later, #ban_later and so on) where I only set one attribute from the request parameter( specifically, a reason field for doing that action).

I was wondering if it is ok to do it like this:

def ban_later
  @object.reason = params[:object][:reason]
  @object.save
end

Or is it a best practice to use strong params even in this situation?

def ban_later
  @object.reason = object_params[:reason]
  @object.save
end

private
  def object_params
    params.require(:object).permit(:permitted_1, :permitted_2, :reason)
  end

Which of these solutions is the best one? If none of them is, then what's the best solution to my problem?

Later Edit:

The #ban_later, #delete_later actions can indeed set a flag column status but that can be done without receiving it's value from the params hash. Since you will only set one status per method you can simply set the status "pending_delete" when you are in #delete_later and "pending_ban" when you are in #ban_later.

Later Later Edit

Why use #save and not update_attributes directly? Let's say you need to have a if @object.save statement. On the false branch( object not saved) you might still want to render a view where the contents of that @object are used.

like image 713
Dmitri Avatar asked Oct 13 '15 06:10

Dmitri


People also ask

Why do we use strong params?

Strong Parameters, aka Strong Params, are used in many Rails applications to increase the security of data sent through forms. Strong Params allow developers to specify in the controller which parameters are accepted and used.

What are strong parameters Rails?

Strong Parameters is a feature of Rails that prevents assigning request parameters to objects unless they have been explicitly permitted. It has its own DSL (Domain Specific Language, or in other words, a predefined syntax it understands), that allows you to indicate what parameters should be allowed.

What do params do?

Specifically, params refers to the parameters being passed to the controller via a GET or POST request. then the controller would pass in {:name => “avi”} to the show method, which would set the @person instance variable to the person in the database with the name “avi”.


2 Answers

First one saves computation.

Second one checks for existence of :object sub-hash, which I think is good for fault-tolerance.

I initially would pick the 1st, but after some thought I liked the second one more.

like image 150
lulalala Avatar answered Oct 03 '22 07:10

lulalala


The simplest answer is that if you only use one parameter in params, and do not pass it to a multi attribute setter like model#create then you don't have to use strong_parameters to get a secure solution.

However, I expect that it is unlikely that this is the case for the whole controller. Where the ban_later method only needs one parameter, other controller methods will need more. In this case the question becomes: "do you want to handle params differently for ban_later to how you use it for the other controller methods?".

Also can you be sure that the functionality will not change, and that when you change the functionality, that you'll remember to change the way params is handled.

Therefore, I would use strong_parameters because it means:

  • parameters are handled consistently across all methods in the controller.
  • changes to methods are less likely to expose vulnerabilities as functionality changes.
like image 45
11 revs, 10 users 40% Avatar answered Oct 03 '22 06:10

11 revs, 10 users 40%