Rails 4 Strong Parameters

parameters

The Rails core team recently introduced a project called strong parameters.

Strong parameters is the latest tool in the fight against mass assignment vulnerabilities. Let’s take the problem of your typical web form that creates a user. Your code might look something like this:

<form method="post" action="/users">
  <input type="text" name="name" />
  <input type="submit" />
</form>

This looks all well and good but what happens if a use messes with your form and adds another parameter in that they’re not supposed to? As an example, perhaps they add in an admin attribute and set it to true. If you aren’t protecting this in your models, you can run in to issues. Typically, you would do something like this:

class User < ActiveRecord::Base
  attr_accessible :name
end

Then in the controller:

def create
  @user = User.new(params[:user])
  @user.admin = params[:user][:admin] # If you want this set!
  ....
end

In Rails 4, there’s a new option to mark parameters as safe or required. This comes in the form of a plugin called strong parameters. The way it works is like this:

class UsersController < ActionController::Base

  def create
    @user = User.new(user_params)
    ....
  end

  private
  def user_params
    params.require(:user).permit(:name)
  end
end

If you don’t use the correct params, an ActiveModel::ForbiddenAttributes exception is raised due to mass assignment being allowed.

If you want to check this out now, you can use it in your Rails 3.2.X applications by adding the strong_parameters gem to your Gemfile. It will be on by default in Rails 4.

Jason Seifer

Jason Seifer is a web developer, podcaster, beer geek, world traveler, astronaut, and trainer of Chuck Norris. He enjoys long walks on the beach, poetry, and a good scotch. He also teaches at Treehouse.

Comments

One comment on “Rails 4 Strong Parameters