The Rails core team recently introduced a project called strong parameters.
Strong parameters is the latest tool in the fight against mass assignment vulnerabilities. Let’s take the problem of your typical web form that creates a user. Your code might look something like this:
<form method="post" action="/users">
<input type="text" name="name" />
<input type="submit" />
</form>
This looks all well and good but what happens if a use messes with your form and adds another parameter in that they’re not supposed to? As an example, perhaps they add in an admin
attribute and set it to true. If you aren’t protecting this in your models, you can run in to issues. Typically, you would do something like this:
class User < ActiveRecord::Base
attr_accessible :name
end
Then in the controller:
def create
@user = User.new(params[:user])
@user.admin = params[:user][:admin] # If you want this set!
....
end
In Rails 4, there’s a new option to mark parameters as safe or required. This comes in the form of a plugin called strong parameters. The way it works is like this:
class UsersController < ActionController::Base
def create
@user = User.new(user_params)
....
end
private
def user_params
params.require(:user).permit(:name)
end
end
If you don’t use the correct params, an ActiveModel::ForbiddenAttributes
exception is raised due to mass assignment being allowed.
If you want to check this out now, you can use it in your Rails 3.2.X applications by adding the strong_parameters
gem to your Gemfile
. It will be on by default in Rails 4.