Updating Strong Parameters3:50 with Jay McGavren
Rails is mistakenly trying to "protect" you from malicious parameters. We need to fix that.
So when we fill out our new body field in the post form and 0:00 submitted the body doesn't get saved. 0:03 If we look at our log will see a clue as to the problem. 0:06 Here's the request where we submitted the form, and 0:09 in the middle we see unpermitted parameter body. 0:13 When you click the button to submit the HTML form, 0:17 your browser sends an HTTP POST request to the server. 0:20 Remember how we covered the HTTP GET request earlier, which is used 0:24 to get web pages, an HTTP POST request is used to post data on the server. 0:30 Think of it as leaving the data there for others to find later. 0:35 By the way, be careful not to confuse the term POST request with our post model. 0:39 The fields in your form are treated as parameters in the POST request. 0:44 You can see a list of them in the rails log. 0:48 You'll see one for the title field, and another for the body field. 0:50 But there's that message right below the parameters, unpermitted parameter body. 0:56 It looks like rails rejected the body field, but why? 1:02 Suppose we have a user model representing a user of our site. 1:06 We want most of our users to be treated as regular users. 1:09 All they can do is create and edit their own posts, but 1:13 some users should be treated as administrators. 1:16 They help run the entire site. 1:19 An administrator can edit other people's posts, and maybe even delete other users. 1:21 The user model has an attribute called is_admin. 1:26 Any user for which is admin is set true is treated like an admin. 1:29 Now you don't want just anybody to be able to set themselves up as an admin. 1:34 So you remove the user as an administrator checkbox from the form for 1:38 creating a user, so that users can't make themselves admins. 1:42 You'll set admins up via the rails console instead. 1:45 But in the battle days of web development, 1:48 malicious users could just add their own parameters to requests. 1:51 They could add is admin field and said It's true. 1:55 The server would simply accept the parameter and update the database record. 1:58 Suddenly their user would be treated as an admin and could cause all sorts of havoc. 2:02 That's why Rails has a feature called strong parameters. 2:07 In every controller, you specify a list of parameters that controller will accept. 2:11 In our hypothetical scenario, name would be a permitted parameter for 2:15 the user's controller, but isAdmin would not. 2:19 If someone tried to add an isAdmin parameter to a POST request, 2:22 it would get rejected [SOUND], and everyone could breathe a sigh of relief. 2:26 So the problem here is that for a post controller, 2:30 body isn't a permitted parameter. 2:32 Rail's was mistakenly trying to protect us from the body parameter 2:35 as if it was malicious. 2:38 We need to add body to the list of permitted parameters, so 2:40 that it can get through. 2:43 We can see here in the log that the POST request is being processed 2:45 by the create method of the post controller. 2:48 Let's open that file at app, controllers, host controller.rb. 2:52 If we scroll down and look at the create method, 2:58 we can see that it's calling another method named post params, and 3:01 using the return value to create a new post object. 3:05 The post params method is defined down here at the bottom of the controller. 3:09 Here at the end of the method you can see the list of permitted parameters. 3:14 There's only one right now, the title parameter. 3:18 So, we'll add another one for the body parameter. 3:21 Let's save our work. 3:25 And now if we fill out the form to create a new post, 3:27 you'll see that the body is accepted. 3:33 The same is true for updating an existing post. 3:37 If we provide a body and submit the form, you'll see that it gets updated. 3:40 We've got everything working. 3:47
You need to sign up for Treehouse in order to download course files.Sign up