Module: ActionController::StrongParameters
Relationships & Source Files | |
Extension / Inclusion / Inheritance Descendants | |
Included In:
| |
Defined in: | actionpack/lib/action_controller/metal/strong_parameters.rb |
Overview
Strong Parameters
It provides an interface for protecting attributes from end-user assignment. This makes Action Controller parameters forbidden to be used in Active Model mass assignment until they have been explicitly enumerated.
In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request
with no effort.
class PeopleController < ActionController::Base
# Using "Person.create(params[:person])" would raise an
# ActiveModel::ForbiddenAttributesError exception because it'd
# be using mass assignment without an explicit permit step.
# This is the recommended form:
def create
Person.create(person_params)
end
# This will pass with flying colors as long as there's a person key in the
# parameters, otherwise it'll raise an ActionController::ParameterMissing
# exception, which will get caught by ActionController::Base and turned
# into a 400 Bad Request reply.
def update
redirect_to current_account.people.find(params[:id]).tap { |person|
person.update!(person_params)
}
end
private
# Using a private method to encapsulate the permissible parameters is
# a good pattern since you'll be able to reuse the same permit
# list between create and update. Also, you can specialize this method
# with per-user checking of permissible attributes.
def person_params
params.expect(person: [:name, :age])
end
end
In order to use accepts_nested_attributes_for
with Strong Parameters, you will need to specify which nested attributes should be permitted. You might want to allow :id
and :_destroy
, see ::ActiveRecord::NestedAttributes
for more information.
class Person
has_many :pets
accepts_nested_attributes_for :pets
end
class PeopleController < ActionController::Base
def create
Person.create(person_params)
end
#...
private
def person_params
# It's mandatory to specify the nested attributes that should be permitted.
# If you use {permit} with just the key that points to the nested attributes hash,
# it will return an empty hash.
params.expect(person: [ :name, :age, pets_attributes: [ :id, :name, :category ] ])
end
end
See ActionController::Parameters.expect
, See ActionController::Parameters.require
, and ActionController::Parameters.permit
for more information.
Instance Attribute Summary
-
#params
rw
Returns a new
Parameters
object that has been instantiated with therequest.parameters
. -
#params=(value)
rw
Assigns the given
value
to the #params hash.
Instance Attribute Details
#params (rw)
Returns a new Parameters
object that has been instantiated with the request.parameters
.
# File 'actionpack/lib/action_controller/metal/strong_parameters.rb', line 1514
def params @_params ||= begin context = { controller: self.class.name, action: action_name, request: request, params: request.filtered_parameters } Parameters.new(request.parameters, context) end end
#params=(value) (rw)
Assigns the given value
to the #params hash. If value
is a ::Hash
, this will create an Parameters
object that has been instantiated with the given value
hash.
# File 'actionpack/lib/action_controller/metal/strong_parameters.rb', line 1529
def params=(value) @_params = value.is_a?(Hash) ? Parameters.new(value) : value end