Browse files

mention strong parameters in complex forms section of the guides.

Closes #9921.
  • Loading branch information...
1 parent 81b7ebf commit 1a5c3f49f1fa5b9e54979a7b665e5764a657b61e @senny senny committed Mar 27, 2013
Showing with 25 additions and 1 deletion.
  1. +25 −1 guides/source/
@@ -906,7 +906,21 @@ If the associated object is already saved, `fields_for` autogenerates a hidden i
### The Controller
-You do not need to write any specific controller code to use nested attributes. Create and update records as you would with a simple form.
+As usual you need to
+[whitelist the parameters](action_controller_overview.html#strong-parameters) in
+the controller before you pass them to the model:
+def create
+ @person =
+ # ...
+def person_params
+ params.require(:person).permit(:name, addresses_attributes: [:id, :kind, :street])
### Removing Objects
@@ -937,6 +951,16 @@ If the hash of attributes for an object contains the key `_destroy` with a value
<% end %>
+Don't forget to update the whitelisted params in your controller to also include
+the `_destroy` field:
+def person_params
+ params.require(:person).
+ permit(:name, addresses_attributes: [:id, :kind, :street, :_destroy])
### Preventing Empty Records
It is often useful to ignore sets of fields that the user has not filled in. You can control this by passing a `:reject_if` proc to `accepts_nested_attributes_for`. This proc will be called with each hash of attributes submitted by the form. If the proc returns `false` then Active Record will not build an associated object for that hash. The example below only tries to build an address if the `kind` attribute is set.

0 comments on commit 1a5c3f4

Please sign in to comment.