mirrors
/
rails
mirror of https://github.com/rails/rails
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Getting Started Guide: strong_parameters 

Stuff didn't work because of strong_parameters. Now the right calls are
in place.
This commit is contained in:
Steve Klabnik 2013-01-21 23:42:06 -05:00
parent a1748f310e
commit aadd16f913
2 changed files with 33 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
guides/assets/images/getting_started/forbidden_attributes_for_new_post.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

41
guides/source/getting_started.md
View File

@ -583,9 +583,31 @@ content:
</p>
```
Finally, if you now go to
<http://localhost:3000/posts/new> you'll
be able to create a post. Try it!
If you now go to
<http://localhost:3000/posts/new> you'll *almost* be able to create a post. Try
it! You should get an error that looks like this:
![Forbidden attributes for new post](images/getting_started/forbidden_attributes_for_new_post.png)
Rails has several security features that help you write secure applications,
and you're running into one of them now. This one is called
'strong_parameters,' which requires us to tell Rails exactly which parameters
we want to accept in our controllers. In this case, we want to allow the
'title' and 'text' parameters, so change your `create` controller action to
look like this:
```
def create
@post = Post.new(params[:post].permit(:title, :text))
@post.save
redirect_to action: :show, id: @post.id
end
```
See the `permit`? It allows us to accept both `title` and `text` in this
action. With this change, you should finally be able to create new `Post`s.
Visit <http://localhost:3000/posts/new> and give it a try!
![Show action for posts](images/getting_started/show_action_for_posts.png)
@ -729,7 +751,7 @@ def new
end
def create
@post = Post.new(params[:post])
@post = Post.new(params[:post].permit(:title, :text))
if @post.save
redirect_to action: :show, id: @post.id
@ -864,8 +886,8 @@ method: :patch do |f| %>
This time we point the form to the `update` action, which is not defined yet
but will be very soon.
The `method: :patch` option tells Rails that we want this form to be
submitted via the `PUT` HTTP method which is the HTTP method you're expected to use to
The `method: :patch` option tells Rails that we want this form to be submitted
via the `PATCH` HTTP method which is the HTTP method you're expected to use to
**update** resources according to the REST protocol.
TIP: By default forms built with the _form_for_ helper are sent via `POST`.
@ -883,7 +905,7 @@ And then create the `update` action in `app/controllers/posts_controller.rb`:
def update
@post = Post.find(params[:id])
if @post.update(params[:post])
if @post.update(params[:post].permit(:title, :text))
redirect_to action: :show, id: @post.id
else
render 'edit'
@ -1388,7 +1410,7 @@ Let's wire up the `create` in `app/controllers/comments_controller.rb`:
class CommentsController < ApplicationController
def create
@post = Post.find(params[:post_id])
@comment = @post.comments.create(params[:comment])
@comment = @post.comments.create(params[:comment].permit(:commenter, :body))
redirect_to post_path(@post)
end
end
@ -1559,6 +1581,9 @@ Then you make the `app/views/posts/show.html.erb` look like the following:
<%= @post.text %>
</p>
<h2>Comments</h2>
<%= render @post.comments %>
<h2>Add a comment:</h2>
<%= render "comments/form" %>