Strong Parameters in Rails 3.2.8
This video states that it is possible to protect the input coming in via the controller yet still be able to do mass assignment via models and specs. However, I have not seen this documented as a feature when using strong_parameters in 3.2.8.
I understand that I need to mix in ActiveModel::ForbiddenAttributesProtection into my models and set config.active_record.whitelist_attributes = false in config/application.rb. I have also pulled all of my attr_accessible calls from the model.
With or without the mixin I am getting mass assignment errors.
ActiveModel::MassAssignmentSecurity::Error:
Can't mass-assign protected attributes: home_phone, cell_phone
Am I missing something?
Answer
The suggested RailsCast is probably a good start, but here is a summary of what you have to do in Rails 3.x to get strong parameters working instead of attr_accessible:
Add
gem 'strong_parameters'to your Gemfile and run bundle.Comment out (or set to false)
config.active_record.whitelist_attributes = truein config/application.rbMix in the
ActiveModel::ForbiddenAttributesProtectionin your model. Do this per model, or apply globally to all models with:ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)(The railscast proposes to do this in a new initializer: config/initializers/strong_parameters.rb )
From now on you will have to use syntax such as this:
model_params = params[:model].permit( :attribute, :another_attribute ) @model.update_attributes( model_params )when you update your models. In this case any attribute in
params[:model]except:attributeand:another_attributewill cause an ActiveModel::ForbiddenAttributes error.
You can also use the rest of the new magic from ActionController::Parameters, such as .require(:attribute) to force the presence of an attribute.