Recently, I ran into issues trying to pass a new variable into my params hash after integrating Devise into my app, so I decided to do a refresher of strong params. Strong params was implemented in Rails so that users could not maliciously manipulate form submissions via form fields.
Strong parameters was implemented in Rails 3 via
whitelisting, which is the act of permitting specific attributes that can be passed into the params hash via the model. In Rails 4, the responsibility of
whitelisting has now been passed to the controller.
Typically, we have a private method inside of the controller that delegates the
whitelisting that should take place.
1 2 3 4 5
require statement inside the
resource_params method performs the parameter validation for the user parameter. If the user parameter exists, then it will go on and validate each of the attributes. If the user parameter does not exist, then it will throw an
ActionController::ParameterMissing error and return a 400 status code response.
permit method will strip out any attributes that do not belong inside of the params. For example, if we tried to include a
:admin attribute inside of the
permit method, it will not be passed into the params.