1 00:00:00,470 --> 00:00:03,580 So when we fill out our new body field in the post form and 2 00:00:03,580 --> 00:00:06,270 submitted the body doesn't get saved. 3 00:00:06,270 --> 00:00:08,950 If we look at our log will see a clue as to the problem. 4 00:00:09,950 --> 00:00:13,759 Here's the request where we submitted the form, and 5 00:00:13,759 --> 00:00:17,322 in the middle we see unpermitted parameter body. 6 00:00:17,322 --> 00:00:20,976 When you click the button to submit the HTML form, 7 00:00:20,976 --> 00:00:24,980 your browser sends an HTTP POST request to the server. 8 00:00:24,980 --> 00:00:30,097 Remember how we covered the HTTP GET request earlier, which is used 9 00:00:30,097 --> 00:00:35,593 to get web pages, an HTTP POST request is used to post data on the server. 10 00:00:35,593 --> 00:00:39,212 Think of it as leaving the data there for others to find later. 11 00:00:39,212 --> 00:00:44,800 By the way, be careful not to confuse the term POST request with our post model. 12 00:00:44,800 --> 00:00:48,790 The fields in your form are treated as parameters in the POST request. 13 00:00:48,790 --> 00:00:50,520 You can see a list of them in the rails log. 14 00:00:50,520 --> 00:00:56,700 You'll see one for the title field, and another for the body field. 15 00:00:56,700 --> 00:01:02,030 But there's that message right below the parameters, unpermitted parameter body. 16 00:01:02,030 --> 00:01:04,810 It looks like rails rejected the body field, but why? 17 00:01:06,105 --> 00:01:09,850 Suppose we have a user model representing a user of our site. 18 00:01:09,850 --> 00:01:13,240 We want most of our users to be treated as regular users. 19 00:01:13,240 --> 00:01:16,470 All they can do is create and edit their own posts, but 20 00:01:16,470 --> 00:01:19,270 some users should be treated as administrators. 21 00:01:19,270 --> 00:01:21,090 They help run the entire site. 22 00:01:21,090 --> 00:01:26,200 An administrator can edit other people's posts, and maybe even delete other users. 23 00:01:26,200 --> 00:01:29,610 The user model has an attribute called is_admin. 24 00:01:29,610 --> 00:01:34,510 Any user for which is admin is set true is treated like an admin. 25 00:01:34,510 --> 00:01:38,470 Now you don't want just anybody to be able to set themselves up as an admin. 26 00:01:38,470 --> 00:01:42,070 So you remove the user as an administrator checkbox from the form for 27 00:01:42,070 --> 00:01:45,600 creating a user, so that users can't make themselves admins. 28 00:01:45,600 --> 00:01:48,810 You'll set admins up via the rails console instead. 29 00:01:48,810 --> 00:01:51,130 But in the battle days of web development, 30 00:01:51,130 --> 00:01:55,400 malicious users could just add their own parameters to requests. 31 00:01:55,400 --> 00:01:58,780 They could add is admin field and said It's true. 32 00:01:58,780 --> 00:02:02,890 The server would simply accept the parameter and update the database record. 33 00:02:02,890 --> 00:02:07,409 Suddenly their user would be treated as an admin and could cause all sorts of havoc. 34 00:02:07,409 --> 00:02:11,140 That's why Rails has a feature called strong parameters. 35 00:02:11,140 --> 00:02:15,870 In every controller, you specify a list of parameters that controller will accept. 36 00:02:15,870 --> 00:02:19,540 In our hypothetical scenario, name would be a permitted parameter for 37 00:02:19,540 --> 00:02:22,610 the user's controller, but isAdmin would not. 38 00:02:22,610 --> 00:02:26,030 If someone tried to add an isAdmin parameter to a POST request, 39 00:02:26,030 --> 00:02:30,107 it would get rejected [SOUND], and everyone could breathe a sigh of relief. 40 00:02:30,107 --> 00:02:32,629 So the problem here is that for a post controller, 41 00:02:32,629 --> 00:02:35,170 body isn't a permitted parameter. 42 00:02:35,170 --> 00:02:38,620 Rail's was mistakenly trying to protect us from the body parameter 43 00:02:38,620 --> 00:02:40,360 as if it was malicious. 44 00:02:40,360 --> 00:02:43,230 We need to add body to the list of permitted parameters, so 45 00:02:43,230 --> 00:02:44,150 that it can get through. 46 00:02:45,200 --> 00:02:48,740 We can see here in the log that the POST request is being processed 47 00:02:48,740 --> 00:02:51,140 by the create method of the post controller. 48 00:02:52,340 --> 00:02:58,530 Let's open that file at app, controllers, host controller.rb. 49 00:02:58,530 --> 00:03:01,650 If we scroll down and look at the create method, 50 00:03:01,650 --> 00:03:05,360 we can see that it's calling another method named post params, and 51 00:03:05,360 --> 00:03:08,430 using the return value to create a new post object. 52 00:03:09,490 --> 00:03:13,040 The post params method is defined down here at the bottom of the controller. 53 00:03:14,800 --> 00:03:18,250 Here at the end of the method you can see the list of permitted parameters. 54 00:03:18,250 --> 00:03:21,460 There's only one right now, the title parameter. 55 00:03:21,460 --> 00:03:25,360 So, we'll add another one for the body parameter. 56 00:03:25,360 --> 00:03:26,160 Let's save our work. 57 00:03:27,670 --> 00:03:33,008 And now if we fill out the form to create a new post, 58 00:03:33,008 --> 00:03:37,215 you'll see that the body is accepted. 59 00:03:37,215 --> 00:03:40,567 The same is true for updating an existing post. 60 00:03:40,567 --> 00:03:47,810 If we provide a body and submit the form, you'll see that it gets updated. 61 00:03:47,810 --> 00:03:48,990 We've got everything working.