diff --git a/guides/source/getting_started.md b/guides/source/getting_started.md index e0536582e1e2..a033137ee62a 100644 --- a/guides/source/getting_started.md +++ b/guides/source/getting_started.md @@ -531,29 +531,20 @@ and change the `create` action to look like this: ```ruby def create - @post = Post.new(post_params) + @post = Post.new(params[:post]) @post.save redirect_to @post end - -private - def post_params - params.require(:post).permit(:title, :text) - end ``` Here's what's going on: every Rails model can be initialized with its respective attributes, which are automatically mapped to the respective database columns. In the first line we do just that (remember that -`post_params` contains the attributes we're interested in). Then, +`params[:post]` contains the attributes we're interested in). Then, `@post.save` is responsible for saving the model in the database. Finally, we redirect the user to the `show` action, which we'll define later. -TIP: Note that `def post_params` is private. This new approach prevents an -attacker from setting the model's attributes by manipulating the hash passed -to the model. For more information, refer to [this blog post about Strong Parameters](http://weblog.rubyonrails.org/2012/3/21/strong-parameters/). - TIP: As we'll see later, `@post.save` returns a boolean indicating whether the model was saved or not. @@ -627,6 +618,10 @@ Visit and give it a try! ![Show action for posts](images/getting_started/show_action_for_posts.png) +TIP: Note that `def post_params` is private. This new approach prevents an +attacker from setting the model's attributes by manipulating the hash passed +to the model. For more information, refer to [this blog post about Strong Parameters](http://weblog.rubyonrails.org/2012/3/21/strong-parameters/). + ### Listing all posts We still need a way to list all our posts, so let's do that.