mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Reword 5.6 strong parameters and private method stuff [ci skip]
This commit is contained in:
parent
bae7f1dae9
commit
024e5e3104
1 changed files with 28 additions and 11 deletions
|
@ -749,10 +749,33 @@ article. Try it! You should get an error that looks like this:
|
||||||
|
|
||||||
Rails has several security features that help you write secure applications,
|
Rails has several security features that help you write secure applications,
|
||||||
and you're running into one of them now. This one is called
|
and you're running into one of them now. This one is called
|
||||||
`strong_parameters`, which requires us to tell Rails exactly which parameters
|
`[strong_parameters](http://guides.rubyonrails.org/action_controller_overview.html#strong-parameters)`,
|
||||||
we want to accept in our controllers. In this case, we want to allow the
|
which requires us to tell Rails exactly which parameters are allowed into
|
||||||
`title` and `text` parameters, so add the new `article_params` method, and
|
our controller actions.
|
||||||
change your `create` controller action to use it, like this:
|
|
||||||
|
Why do you have to bother? The ability to grab and automatically assign
|
||||||
|
all controller parameters to your model in one shot makes the programmer's
|
||||||
|
job easier, but this convenience also allows malicious use. What if a
|
||||||
|
request to the server was crafted to look like a new article form submit
|
||||||
|
but also included extra fields with values that violated your applications
|
||||||
|
integrity? They would be 'mass assigned' into your model and then into the
|
||||||
|
database along with the good stuff - potentially breaking your application
|
||||||
|
or worse.
|
||||||
|
|
||||||
|
We have to whitelist our controller parameters to prevent wrongful
|
||||||
|
mass assignment. In this case, we want to both allow and require the
|
||||||
|
`title` and `text` parameters for valid use of `create`. The syntax for
|
||||||
|
this introduces `require` and `permit`. The change will involve one line:
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
@article = Article.new(params.require(:article).permit(:title, :text))
|
||||||
|
```
|
||||||
|
|
||||||
|
This is often factored out into its own method so it can be reused by
|
||||||
|
multiple actions in the same controller, for example `create` and `update`.
|
||||||
|
Above and beyond mass assignment issues, the method is often made
|
||||||
|
`private` to make sure it can't be called outside its intended context.
|
||||||
|
Here is the result:
|
||||||
|
|
||||||
```ruby
|
```ruby
|
||||||
def create
|
def create
|
||||||
|
@ -768,13 +791,7 @@ private
|
||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
See the `permit`? It allows us to accept both `title` and `text` in this
|
TIP: For more information, refer to the reference above and
|
||||||
action.
|
|
||||||
|
|
||||||
TIP: Note that `def article_params` is private. This new approach prevents an
|
|
||||||
attacker from setting the model's attributes by manipulating the hash passed to
|
|
||||||
the model.
|
|
||||||
For more information, refer to
|
|
||||||
[this blog article about Strong Parameters](http://weblog.rubyonrails.org/2012/3/21/strong-parameters/).
|
[this blog article about Strong Parameters](http://weblog.rubyonrails.org/2012/3/21/strong-parameters/).
|
||||||
|
|
||||||
### Showing Articles
|
### Showing Articles
|
||||||
|
|
Loading…
Reference in a new issue