Browse files

Reword 5.6 strong parameters and private method stuff [ci skip]

  • Loading branch information...
1 parent bae7f1d commit 024e5e3104ecfaa3856b500dbe1547be8cb7e9f1 @afshinator afshinator committed Mar 15, 2014
Showing with 28 additions and 11 deletions.
  1. +28 −11 guides/source/
@@ -749,10 +749,33 @@ article. Try it! You should get an error that looks like this:
Rails has several security features that help you write secure applications,
and you're running into one of them now. This one is called
-`strong_parameters`, which requires us to tell Rails exactly which parameters
-we want to accept in our controllers. In this case, we want to allow the
-`title` and `text` parameters, so add the new `article_params` method, and
-change your `create` controller action to use it, like this:
+which requires us to tell Rails exactly which parameters are allowed into
+our controller actions.
+Why do you have to bother? The ability to grab and automatically assign
+all controller parameters to your model in one shot makes the programmer's
+job easier, but this convenience also allows malicious use. What if a
+request to the server was crafted to look like a new article form submit
+but also included extra fields with values that violated your applications
+integrity? They would be 'mass assigned' into your model and then into the
+database along with the good stuff - potentially breaking your application
+or worse.
+We have to whitelist our controller parameters to prevent wrongful
+mass assignment. In this case, we want to both allow and require the
+`title` and `text` parameters for valid use of `create`. The syntax for
+this introduces `require` and `permit`. The change will involve one line:
+ @article =, :text))
+This is often factored out into its own method so it can be reused by
+multiple actions in the same controller, for example `create` and `update`.
+Above and beyond mass assignment issues, the method is often made
+`private` to make sure it can't be called outside its intended context.
+Here is the result:
def create
@@ -768,13 +791,7 @@ private
-See the `permit`? It allows us to accept both `title` and `text` in this
-TIP: Note that `def article_params` is private. This new approach prevents an
-attacker from setting the model's attributes by manipulating the hash passed to
-the model.
-For more information, refer to
+TIP: For more information, refer to the reference above and
[this blog article about Strong Parameters](
### Showing Articles

0 comments on commit 024e5e3

Please sign in to comment.