Strong Parameters in Rails 4 for user_friendships

So you have to use strong_parameters to allow the form data to pass through to the controller. That's why it doesn't show in the log. You should be adding friend_id to allow that to pass through.

Does anyone have an example of how they got strong_parameters to work for them? So far I have changed my attr_accessible list from the UserFriendship model to look like this: UserFriendship.create(params.permit(:user, :friend, :user_id, :friend_id)) But I don't know where I'm supposed to put that (assuming it's even correct)? Do I add it to the create method of the UserFriendshipController? Or in the ApplicationController? Or somewhere else? Do I assign it to something? Everything I have attempted is not working. Please, help!

Ahh yes, that was it. I did not end up using the strong_parameters gem, but I did have the hidden_field commented out in the form, because it was causing a crash earlier. Just had to switch to using .find instead of .where. Appears to be working well now. Thanks Brandon!

I recommend using strong_parameters that shipped with rails 4.0. From what I've read, the reason for the switch was for security issues using attr_accessible in earlier versions of rails.

Oh I see. It is built into Rails. I have only used Rails 4, so I thought it was always there at first.

Yes, for strong parameters, you have to declare what you what to pass in the controller now. So, yes, add it to the create method. Here is what I did:

def create
    if params[:user_friendship] && params[:user_friendship].has_key?(:friend_id)  
      # @friend = User.where(profile_name: params[:user_friendship][:friend_id]) 
      @friend = User.find(params[:user_friendship][:friend_id]) 
      @user_friendship = UserFriendship.request(current_user, @friend)

      respond_to do |format|
        if @user_friendship.new_record?
          format.html do 
            flash[:error] = "There was problem creating that friend request."
            redirect_to profile_path(@friend)
          end
          format.json { render json: @user_friendship.to_json, status: :precondition_failed }
        else
          format.html do
            flash[:success] = "Friend request sent."
            redirect_to profile_path(@friend)
          end
          format.json { render json: @user_friendship.to_json }
        end
      end        
    else
      flash[:error] = "Friend not found"
      redirect_to root_url
    end
  end

Notice I have the .where query commented out. This is because I just couldn't get it to find a @friend. I asked a friend of mine who is a rails expert and he said that using .find in this case is ok, because we only care about returning one object. However, if you wanted to make a list where people can check off boxes to add multiple people, you would have to use .where..

Let me know if that works!

Hi Kelly,

Thanks for the response, but I think you may be a littler further along that I am with the Treebook project. I did try using @friend = User.find(params[:user_friendship][:friend_id]) , but it's still not working. I also don't see how you are passing in your strong parameters. ???

Yeah, its a bit tough for me to understand as well. And yeah, I guess I am a few steps ahead. I will try and step back a bit. I'll see if I can explain it better. In the view (user_friendships/new.html.erb), here is what I have:

<%= form_for @user_friendship, method: :post do |form| %>
    <div class = "form form-action">
      <%= form.hidden_field(:friend_id, :value => @friend.id) %>
      <%= submit_tag "Yes, Add Friend", class: "btn btn-primary" %>
      <%= link_to "Cancel", profile_path(@friend), class: 'btn btn-default' %>
   </div>
<% end %>

This passes the friend_id as the object id of the new @friend object. I am not sure this is the best way to do this, but it worked for me.

Then in the user_friendships controller:

def create
    if params[:user_friendship] && params[:user_friendship].has_key?(:friend_id)
      @friend = User.find(params[:user_friendship][:friend_id])
      @user_friendship = current_user.user_friendships.new(friend: @friend)
      @user_friendship.save
      flash[:success] = "You are now friends with #{@friend.first_name}"
      redirect_to profile_path(@friend)
    else
      flash[:error] = "Friend not found"
      redirect_to root_url
    end
  end

This line:

@friend = User.find(params[:user_friendship][:friend_id])

is making the @friend instance variable, from the friend_id passed in from the form. The @user_friendship needs a user_id and a friend_id. So, the user_id is that of the current_user, and the friend_id is the one that gets passed from the form, in the hidden_field.

Hi Kelly,

Thanks so much for the detailed follow up! I appreciate the thoroughness. It clarified some things.

Overall, I am following what you're saying, I understand that the @user_friendship needs a user_id and a friend_id, the later passed in from the hidden field. The problem I'm running into is that switching from using attr_accessible to strong_parameters is a little murky i.e. not just a matter of moving everything from the model to the controller and deciding to .permit all. Or so I'm discovering. . .

I ran into a similar problem with Devise early on, and had to implement a work around by adding a user parameter sanitizer to the lib, and calling it from the application_controller whenever the User class was instantiated. Granted, Devise has its own way of handling parameters that I won't pretend to understand.

But the point is, I am still learning ALL of this, so I'm never sure when these workarounds are gonna blow up and/or are interfering with cleaner solutions that I am using incorrectly b/c I'm still learning all of this and trashed up my project with the workarounds. I may just revert to the version of Rails used in the tutorial to get through this project without anymore headaches (as teachable as they may be).

But before I go, for fun, here is the current state of what happens when I try to create a user friendship (seems to still be passing a string-of-nonsense for value and returns "Friend not found"):

View source:

<form accept-charset="UTF-8" action="/user_friendships" 
class="new_user_friendship" id="new_user_friendship" method="post">
<div style="margin:0;padding:0;display:inline">
<input name="utf8" type="hidden" value="&#x2713;" />
<input name="authenticity_token" type="hidden" value="wkLF5Zs7ALO2gaNrXC1bCBWIurbLkjd6gFWhvPnvPhI=" />
</div>

Terminal:

Started POST "/user_friendships" for 127.0.0.1 at 2014-04-03 13:30:15 -0700 Processing by UserFriendshipsController#create as HTML Parameters: {"utf8"=>"?", "authenticity_token"=>"wkLF5Zs7ALO2gaNrXC1bCBWIurbLkjd6gFWhvPnvPhI=", "commit"=>"Yes, Add Friend"} (0.1ms) begin transaction SQL (0.5ms) INSERT INTO "user_friendships" ("created_at", "state", "updated_at") VALUES (?, ?, ?) [["created_at", Thu, 03 Apr 2014 20:30:15 UTC +00:00], ["state", "pending"], ["updated_at", Thu, 03 Apr 2014 20:30:15 UTC +00:00]] (1.1ms) commit transaction Redirected to http://localhost:3000/ Completed 302 Found in 5ms (ActiveRecord: 1.6ms)

You may want to look at the Rails 4 videos for ODOT (the ToDo app). Jason just released some videos about user authentication (without devise). Might be some helpful info there.

Thanks, Brandon! I'll take a look at that soon.

I found this answer in another thread, and it worked for me. In the application_controller.rb :

   def profiles_params
      params.require(user).permit(:user_id, :friend_id, :users, :friend, :state, :first_name, :last_name, :user_friendship,       :full_name, :album, :albums_thumbnail, :title)
  end

Though, I doubt you still need this help :)

I feel you! This is the first track where I've wondered if I might get completely stuck. So far, so good. Can I ask where you are learning Python? I saw yesterday that treehouse has hired a Python teacher.

Hi Joy,

I actually just jumped into using the Beautiful Soup library: http://www.crummy.com/software/BeautifulSoup/bs4/doc/

Referencing Learn Python the Hard Way when I get stuck: http://learnpythonthehardway.org/book/

(I'm so addicted to web scraping now! :) )

Another site that's been really helpful for putting all this new knowledge to the test is Coderbyte.com. They have challenges, which you can complete in any language (JS, Python, Ruby). Highly recommend: http://www.coderbyte.com/

I just discovered Pluralsight.com recently. They have tons video tutorials, covering beginner, intermediate, and advanced topics in just about everything. I haven't tried any of their Python courses yet, but started one on Backbone.js, which is very thorough. If you like the video tutorial format of Treehouse or Lynda.com, and want to move on to more specific or advanced topics, this is a nice option: http://pluralsight.com/training/Courses/TableOfContents/python-fundamentals

There's also Codecadmy: http://www.codecademy.com/tracks/python

Can I ask what you're aspiring to do with all this new knowledge? I noticed you've been blazing through these courses, of which we seem to have chosen similar tracks. I'm curious as to what your mission is.

Wow! Thanks for all these references. This is amazing.

I come from an embedded programming background. I've been working in the networking industry for 15years. In a dream world, I'd love to make the switch to web development. I've fallen in love with coding again, and I desperately needed the creative aspect. I've been pushing IP packets around for too long :)

For now, I'm just trying to absorb as much as possible, and then decide what I love working with the most. It's a bit like being hit with a firehose at the moment. I am trying to take the time to play around and get better at each thing.

Python is next on my list. My son keeps telling me it's where I need to be, and I do see a lot of job listings with python. I feel like I have a ways to go before I would consider myself marketable. It's not easy to consider a switch at this point in my career.

How about you? Do you have a plan in mind?