123456789_123456789_123456789_123456789_123456789_

Module: ActionController::StrongParameters

Relationships & Source Files
Extension / Inclusion / Inheritance Descendants
Included In:
Base, ::ActionView::TestCase::TestController, Rails::ApplicationController, Rails::InfoController, Rails::MailersController, Rails::WelcomeController
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
Instance Chain:
Defined in: actionpack/lib/action_controller/metal/strong_parameters.rb

Overview

Strong Parameters

It provides an interface for protecting attributes from end-user assignment. This makes Action Controller parameters forbidden to be used in Active Model mass assignment until they have been whitelisted.

In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request with no effort.

class PeopleController < ActionController::Base
  # Using "Person.create(params[:person])" would raise an
  # ActiveModel::ForbiddenAttributes exception because it'd
  # be using mass assignment without an explicit permit step.
  # This is the recommended form:
  def create
    Person.create(person_params)
  end

  # This will pass with flying colors as long as there's a person key in the
  # parameters, otherwise it'll raise an ActionController::MissingParameter
  # exception, which will get caught by ActionController::Base and turned
  # into a 400 Bad Request reply.
  def update
    redirect_to .people.find(params[:id]).tap { |person|
      person.update!(person_params)
    }
  end

  private
    # Using a private method to encapsulate the permissible parameters is
    # just a good pattern since you'll be able to reuse the same permit
    # list between create and update. Also, you can specialize this method
    # with per-user checking of permissible attributes.
    def person_params
      params.require(:person).permit(:name, :age)
    end
end

In order to use accepts_nested_attributes_for with Strong Parameters, you will need to specify which nested attributes should be whitelisted.

class Person
  has_many :pets
  accepts_nested_attributes_for :pets
end

class PeopleController < ActionController::Base
  def create
    Person.create(person_params)
  end

  #...

  private

    def person_params
      # It's mandatory to specify the nested attributes that should be whitelisted.
      # If you use `permit` with just the key that points to the nested attributes hash,
      # it will return an empty hash.
      params.require(:person).permit(:name, :age, pets_attributes: [ :name, :category ])
    end
end

See ActionController::Parameters.require and ActionController::Parameters.permit for more information.

::ActiveSupport::Rescuable - Attributes & Methods

Class Method Summary

Instance Attribute Summary

Instance Method Summary

::ActiveSupport::Rescuable - Included

#handler_for_rescue,
#rescue_with_handler

Tries to rescue the exception by looking up and calling a registered handler.

Class Attribute Details

.rescue_handlers (rw)

[ GitHub ]

  
# File 'activesupport/lib/active_support/rescuable.rb', line 12

class_attribute :rescue_handlers

.rescue_handlers?Boolean (rw)

[ GitHub ]

  
# File 'activesupport/lib/active_support/rescuable.rb', line 12

class_attribute :rescue_handlers

Instance Attribute Details

#params (rw)

Returns a new Parameters object that has been instantiated with the request.parameters.

[ GitHub ]

  
# File 'actionpack/lib/action_controller/metal/strong_parameters.rb', line 658

def params
  @_params ||= Parameters.new(request.parameters)
end

#params=(value) (rw)

Assigns the given value to the #params hash. If value is a ::Hash, this will create an Parameters object that has been instantiated with the given value hash.

[ GitHub ]

  
# File 'actionpack/lib/action_controller/metal/strong_parameters.rb', line 665

def params=(value)
  @_params = value.is_a?(Hash) ? Parameters.new(value) : value
end

#rescue_handlers (rw)

[ GitHub ]

  
# File 'activesupport/lib/active_support/rescuable.rb', line 12

class_attribute :rescue_handlers

#rescue_handlers?Boolean (rw)

[ GitHub ]

  
# File 'activesupport/lib/active_support/rescuable.rb', line 12

class_attribute :rescue_handlers