Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Strong Parameters in Rails 3.2.8

Tags:

ruby-on-rails

strong-parameters

This video states that it is possible to protect the input coming in via the controller yet still be able to do mass assignment via models and specs. However, I have not seen this documented as a feature when using strong_parameters in 3.2.8.

I understand that I need to mix in ActiveModel::ForbiddenAttributesProtection into my models and set config.active_record.whitelist_attributes = false in config/application.rb. I have also pulled all of my attr_accessible calls from the model.

With or without the mixin I am getting mass assignment errors.

ActiveModel::MassAssignmentSecurity::Error: Can't mass-assign protected attributes: home_phone, cell_phone

Am I missing something?

like image 328
Brandon Hansen Avatar asked Dec 13 '12 03:12

Brandon Hansen

People also ask

What are strong parameters in Rails?

Strong Parameters, aka Strong Params, are used in many Rails applications to increase the security of data sent through forms. Strong Params allow developers to specify in the controller which parameters are accepted and used.

What are params in Rails?

Specifically, params refers to the parameters being passed to the controller via a GET or POST request. In a GET request, params get passed to the controller from the URL in the user's browser. For example, if our app's controller looked like. def show. @person = Person.find(params[:name])

What is mass assignment in Rails?

Mass Assignment is the name Rails gives to the act of constructing your object with a parameters hash. It is "mass assignment" in that you are assigning multiple values to attributes via a single assignment operator.

What is permit in Ruby on Rails?

It returns an instance of ActionController::Parameters for the key passed into require . The permit method returns a copy of the parameters object, returning only the permitted keys and values. When creating a new ActiveRecord model, only the permitted attributes are passed into the model.

1 Answers

The suggested RailsCast is probably a good start, but here is a summary of what you have to do in Rails 3.x to get strong parameters working instead of attr_accessible:

  1. Add gem 'strong_parameters' to your Gemfile and run bundle.

  2. Comment out (or set to false) config.active_record.whitelist_attributes = true in config/application.rb

  3. Mix in the ActiveModel::ForbiddenAttributesProtection in your model. Do this per model, or apply globally to all models with:

    ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)

    (The railscast proposes to do this in a new initializer: config/initializers/strong_parameters.rb )

  4. From now on you will have to use syntax such as this:

    model_params = params[:model].permit( :attribute, :another_attribute )
@model.update_attributes( model_params )

    when you update your models. In this case any attribute in params[:model] except :attribute and :another_attribute will cause an ActiveModel::ForbiddenAttributes error.

You can also use the rest of the new magic from ActionController::Parameters, such as .require(:attribute) to force the presence of an attribute.

like image 81
Jonas Schubert Erlandsson Avatar answered Oct 19 '22 11:10

Jonas Schubert Erlandsson
Sign in to Comment

Related questions

setting up ssl on devise
Pros and cons to RubyMine and TextMate [closed]
combine results from two queries and order by created_at? [rails 3]
What does render_views do in rspec?
How do I determine which exception handler rescue_from will choose in Rails?
Store file in directory tmp on heroku Rails
Ruby on Rails Web Application to iOS or Android app? [closed]
rake db:schema:load not populating schema_migrations table
Rspec advice for testing service objects
Custom order based on Enum values
Passing Form Values into a controller in Rails
RSpec in Rails: How to skip a before_filter?
Specify a plugin as gem from github in Gemfile
How do I test whether my controller rendered the right layout on Rails 3?
Example Puppet setup for a rails stack? (nginx, varnish, thin, postgres, memcached, redis)
Environment-specific routing in Rails 3
Precompiling a .scss manifest file using Rails 3.1's asset pipeline
Working Capistrano recipe for uploading precompiled Rails 3.1 assets to Amazon S3
Sharing mixins between scss files in rails 3.1
Reference checklist for starting a new Rails application?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!