Browse files

Merge pull request #99 from bemurphy/outside_controller_doc

Add doc section about use outside of controllers.
  • Loading branch information...
2 parents 1fddb10 + de58602 commit f3e2a279b54e3eedcf4dbe2536110ec5a18c3875 @fxn fxn committed Feb 17, 2013
Showing with 14 additions and 0 deletions.
  1. +14 −0 README.rdoc
View
14 README.rdoc
@@ -59,6 +59,20 @@ By default parameter keys that are not explicitly permitted will be logged in th
Additionally, this behaviour can be changed by changing the +config.action_controller.action_on_unpermitted_parameters+ property in your environment files. If set to +:log+ the unpermitted attributes will be logged, if set to +:raise+ an exception will be raised.
+== Use Outside of Controllers
+
+While Strong Parameters will enforce permitted and required values in your application controllers, keep in mind
+that you will need to sanitize untrusted data used for mass assignment when in use outside of controllers.
+
+For example, if you retrieve JSON data from a third party API call and pass the unchecked parsed result on to
++Model.create+, undesired mass assignments could take place. You can alleviate this risk by slicing the hash data,
+or wrapping the data in a new instance of +ActionController::Parameters+ and declaring permissions the same as
+you would in a controller. For example:
+
+ raw_parameters = { :email => "john@example.com", :name => "John", :admin => true }
+ parameters = ActionController::Parameters.new(raw_parameters)
+ user = User.create(parameters.permit(:name, :email))
+
== Installation
In Gemfile:

0 comments on commit f3e2a27

Please sign in to comment.