Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Ruby Build a Simple Ruby on Rails Application Customizing Forms Creating Relationships

Joachim McClain
Joachim McClain
1,278 Points
Posted by Joachim McClain
Joachim McClain
1,278 Points

Rails 4 Strong Parameters don't seem to be protecting my app...

Rails 4 Strong Parameters don't seem to be protecting my app...

The oddity is that it is not throwing an exception when a user submits a form with user_id. Shouldn't it fail? Why isn't it?

Am running rails 4.0.2 and ruby 2.1.0

Cheers

Joa

Here's the application_controller...

```class ApplicationController < ActionController::Base before_filter :configure_permitted_parameters, if: :devise_controller? # Prevent CSRF attacks by raising an exception. # For APIs, you may want to use :null_session instead. protect_from_forgery with: :exception

protected

def configure_permitted_parameters devise_parameter_sanitizer.for(:sign_up) << :first_name << :last_name << :profile_name devise_parameter_sanitizer.for(:account_update) << :first_name << :last_name << :profile_name end end```

Here's the statuses_controller...

```class StatusesController < ApplicationController before_action :set_status, only: [:show, :edit, :update, :destroy]

# GET /statuses # GET /statuses.json def index @statuses = Status.all end

# GET /statuses/1 # GET /statuses/1.json def show end

# GET /statuses/new def new @status = Status.new end

# GET /statuses/1/edit def edit end

# POST /statuses # POST /statuses.json def create @status = Status.new(status_params)

respond_to do |format|
  if @status.save
    format.html { redirect_to @status, notice: 'Status was successfully created.' }
    format.json { render action: 'show', status: :created, location: @status }
  else
    format.html { render action: 'new' }
    format.json { render json: @status.errors, status: :unprocessable_entity }
  end
end

end

# PATCH/PUT /statuses/1 # PATCH/PUT /statuses/1.json def update respond_to do |format| if @status.update(status_params) format.html { redirect_to @status, notice: 'Status was successfully updated.' } format.json { head :no_content } else format.html { render action: 'edit' } format.json { render json: @status.errors, status: :unprocessable_entity } end end end

# DELETE /statuses/1 # DELETE /statuses/1.json def destroy @status.destroy respond_to do |format| format.html { redirect_to statuses_url } format.json { head :no_content } end end

private # Use callbacks to share common setup or constraints between actions. def set_status @status = Status.find(params[:id]) end

# Never trust parameters from the scary internet, only allow the white list through.
def status_params
  params.require(:status).permit(:content)
end

end```

and here's the _form.html.erb

```<%= simple_form_for @status do |f| %> <% if @status.errors.any? %> <div id="error_explanation"> <h2><%= pluralize(@status.errors.count, "error") %> prohibited this status from being saved:</h2>

  <ul>
  <% @status.errors.full_messages.each do |msg| %>
    <li><%= msg %></li>
  <% end %>
  </ul>
</div>

<% end %> <%= f.input :user_id %> <%= f.input :content %> <div class="form-actions"> <%= f.button :submit, class: "btn btn-info" %> </div> <% end %>```

1 Answer

Joachim McClain
Joachim McClain
1,278 Points
Joachim McClain
Joachim McClain
1,278 Points

Oh wow my markdown has not worked at all... Sorry. Hope it all still makes sense. Cheers Joa