Probably doing something stupid here, but here's my basic cookie cutter class:
class League < ActiveRecord::Base
private
def league_params
params.require(:full_name).permit!
end
end
And when creating a new instance of League:
2.0.0-p0 :001 > l = League.new(full_name: 'foo', short_name: 'bar')
WARNING: Can't mass-assign protected attributes for League: full_name, short_name
What exactly am I doing wrong here? This is a Rails 4.0.0.beta1 build + Ruby 2.0
** UPDATE **
I realize now that strong parameters are enforced in the Controller now and not in the model. The original question still stands. If they are permitted on the controller level, how can I properly whitelist attributes if I'm creating instances in the Rails console? Wouldn't I need to also use attr_accessible
in this case also thereby completely duplicating what strong parameters is trying to "fix"?
Two things. The league_params
definition goes in the controller, not the model. And params.require()
should contain the name of the model that is required to be present in the parameters, not the attributes. The attribute presence check should still be in the model validations. And be sure you really want to allow access to all attributes in the League model before you use permit!
. So, it should look like this:
class LeaguesController < ApplicationController
private
def league_params
params.require(:league).permit!
end
end
Update:
Yes, if you want the attributes to be restricted when accessing the model directly, you would need to switch back to using the attr_accessible
in the model. That functionality has been moved into this gem: https://github.com/rails/protected_attributes.
I think it is assumed that if you are working with the model directly in the console, you don't need the attributes to be protected as you know exactly what is being entered. As the console has full access to your app, it would be just as easy to hose the entire database as it would be to maliciously assign an attribute.