Strong Params are used in Rails to make sure that users can only pass in values for permitted parameters when sending POST requests to the server. For example, when updating a blog post, a user will only be able to update the attribute parameters for the post that have been permitted by the developers for users to edit/update.
Custom arguments for strong parameters are a helpful way to ensure that the user cannot update the values for certain parameters after the object has already been created (through a form_for).
| private | |
| def task_params(*args) | |
| params.require(:task).permit(*args) | |
| end |
In the example shown here, I have a private strong params method. It's called task_params and takes in custom arguments for what params are permitted for a user to enter values for when creating and updating a task. The method requires that there be a task, and what is being permitted is up to the developer's digression later on in the Tasks#create and Tasks#update methods.
| def create | |
| @task = Task.new(task_params(:assignee_id, :title, :category, :priority, :content)) | |
| if @task.valid? | |
| @task.save | |
| redirect_to task_path(@task) | |
| else | |
| render :new | |
| end | |
| end | |
| def update | |
| @task = Task.find(params[:id]) | |
| @task.update(task_params(:title, :category, :status, :priority, :content)) | |
| if @task.valid? | |
| redirect_to task_path(@task) | |
| else | |
| render :edit | |
| end | |
| end |
In the Tasks#create controller action, there are 5 parameters that are being permitted. There is the assigner_id, title, category, priority, and content. These are the only attributes of a task object that the user can pass in values for when that user creates a task on a form.
However, because the task_params method has custom arguments, now I can permit different parameters when users want to update a preexisting task. Let's say that once a task has been assigned to someone(the assignee), the assignee for a task cannot be changed. In the Tasks#update action, you can see that the assignee_id parameter has now been taken out. As long as take out the form field for assignee_id in the corresponding form on the edit view page, users will now only be permitted to update values for the remaining 4 parameters.
Passing custom arguments for strong parameters is definitely a neat and simple way to control what users can and cannot update!
Top comments (1)
Doesn't this undermine the purpose of Strong Parameters? Seems like it goes upstream against the security patterns that Rails has established.
Not trying to antagonize, maybe I just don't understand a use case based on the provided examples.