Rails 4 strong parameters failing when creating instances in rails console

ruby-on-rails ruby ruby-on-rails-4 strong-parameters
randombits picture randombits · Apr 12, 2013 · Viewed 9.8k times · Source

Probably doing something stupid here, but here's my basic cookie cutter class:

class League < ActiveRecord::Base

    private
      def league_params
        params.require(:full_name).permit!
      end

end

And when creating a new instance of League:

2.0.0-p0 :001 > l = League.new(full_name: 'foo', short_name: 'bar')
WARNING: Can't mass-assign protected attributes for League: full_name, short_name

What exactly am I doing wrong here? This is a Rails 4.0.0.beta1 build + Ruby 2.0

** UPDATE **

I realize now that strong parameters are enforced in the Controller now and not in the model. The original question still stands. If they are permitted on the controller level, how can I properly whitelist attributes if I'm creating instances in the Rails console? Wouldn't I need to also use attr_accessible in this case also thereby completely duplicating what strong parameters is trying to "fix"?

Answer

ericeason picture ericeason · Apr 12, 2013

Two things. The league_params definition goes in the controller, not the model. And params.require() should contain the name of the model that is required to be present in the parameters, not the attributes. The attribute presence check should still be in the model validations. And be sure you really want to allow access to all attributes in the League model before you use permit!. So, it should look like this:

class LeaguesController < ApplicationController

  private
    def league_params
      params.require(:league).permit!
    end

end

Update:

Yes, if you want the attributes to be restricted when accessing the model directly, you would need to switch back to using the attr_accessible in the model. That functionality has been moved into this gem: https://github.com/rails/protected_attributes.

I think it is assumed that if you are working with the model directly in the console, you don't need the attributes to be protected as you know exactly what is being entered. As the console has full access to your app, it would be just as easy to hose the entire database as it would be to maliciously assign an attribute.

Related questions

Rails 4.0 Strong Parameters nested attributes with a key that points to a hash

I was playing around with Rails 4.x beta and trying to get nested attributes working with carrierwave. Not sure if what I'm doing is the right direction. After searching around, and then eventually looking at the rails source and strong …

Read More
Rails 4 Unpermitted Parameters for Array

I have an array field in my model and I'm attempting to update it. My strong parameter method is below def post_params params["post"]["categories"] = params["post"]["categories"].split(",") params.require(:post).permit(:name, :email, :categories) end My action …

Read More
strong parameters permit all attributes for nested attributes

Is there a way in strong parameters to permit all attributes of a nested_attributes model? Here is a sample code. class Lever < ActiveRecord::Base has_one :lever_benefit accepts_nested_attributes_for :lever_benefit end class LeverBenefit < …

Read More