module ActionController::StrongParameters
Strong Parameters
It provides an interface for protecting attributes from end-user assignment. This makes Action Controller parameters forbidden to be used in Active Model mass assignment until they have been whitelisted.
In addition, parameters can be marked as required and flow through a predefined raise/rescue flow to end up as a 400 Bad Request with no effort.
class PeopleController < ActionController::Base # Using "Person.create(params[:person])" would raise an # ActiveModel::ForbiddenAttributes exception because it'd # be using mass assignment without an explicit permit step. # This is the recommended form: def create Person.create(person_params) end # This will pass with flying colors as long as there's a person key in the # parameters, otherwise it'll raise an ActionController::MissingParameter # exception, which will get caught by ActionController::Base and turned # into a 400 Bad Request reply. def update redirect_to current_account.people.find(params[:id]).tap { |person| person.update!(person_params) } end private # Using a private method to encapsulate the permissible parameters is # just a good pattern since you'll be able to reuse the same permit # list between create and update. Also, you can specialize this method # with per-user checking of permissible attributes. def person_params params.require(:person).permit(:name, :age) end end
In order to use accepts_nested_attributes_for
with Strong Parameters, you will need to specify which nested attributes should be whitelisted. You might want to allow :id
and :_destroy
, see ActiveRecord::NestedAttributes for more information.
class Person has_many :pets accepts_nested_attributes_for :pets end class PeopleController < ActionController::Base def create Person.create(person_params) end ... private def person_params # It's mandatory to specify the nested attributes that should be whitelisted. # If you use `permit` with just the key that points to the nested attributes hash, # it will return an empty hash. params.require(:person).permit(:name, :age, pets_attributes: [ :id, :name, :category ]) end end
See ActionController::Parameters#require and ActionController::Parameters#permit for more information.
Public Instance Methods
# File actionpack/lib/action_controller/metal/strong_parameters.rb, line 1051 def params @_params ||= Parameters.new(request.parameters) end
Returns a new ActionController::Parameters object that has been instantiated with the request.parameters
.
# File actionpack/lib/action_controller/metal/strong_parameters.rb, line 1058 def params=(value) @_params = value.is_a?(Hash) ? Parameters.new(value) : value end
Assigns the given value
to the params
hash. If value
is a Hash, this will create an ActionController::Parameters object that has been instantiated with the given value
hash.
© 2004–2018 David Heinemeier Hansson
Licensed under the MIT License.