0

I haven't switched to Rails 4 yet & have been looking into strong_params. I'm liking what I'm seeing & would like to use it on 1 model only. Seems simple but I'm suppose to comment out 'config.active_record.whitelist_attributes = true' in my config > application.rb file.

How do I safely (security wise) use strong_params in certain models only?

goo
  • 2,230
  • 4
  • 32
  • 53
  • sure, why shouldn't it be possible? – phoet Jul 22 '13 at 22:59
  • Could you explain how? I figured I had to do some other things since I'm commenting out the whitelist_attribute.. I'm still new to ROR @phoet – goo Jul 23 '13 at 01:19

1 Answers1

0

I suggest this approach: you leave strong params enabled by default, and you disable it specifically for the controllers that don't need it. (yes strong param is in controllers now with Rails 4, not in models anymore)

To disable for specific controller you can use params.require(:model_name).permit!

That will allow any params for that specific controller

Example

class UnsafeController

  ...

  def update
    ...
    @unsafe.update unsafe_params
    ...
  end

  private

    def unsafe_params
        params.require(:unsafe).permit!
    end

end
Benjamin Bouchet
  • 12,971
  • 2
  • 41
  • 73
  • And what about **config.active_record.whitelist_attributes = true** @Benjamin – goo Jul 23 '13 at 07:58
  • As I mentioned "leave strong params enabled by default". Meaning you remove the `whitelist_attributes` option from your `config/application.rb` file and any `mass_assignment_sanitizer` options – Benjamin Bouchet Jul 23 '13 at 08:37
  • ok, sorry if I'm misunderstanding or missing something that's possibly clearly obvious, but to get this straight, "config.active_record.whitelist_attributes = true" only comes into play anyway if I don't have attr_accessible in my model. So this is the point you're trying to make, correct? @Benjamin – goo Jul 23 '13 at 13:35
  • whitelist_attributes is set by rails to 'false' by default, and that's what you want. So you need to remove it from your application.rb file, and that will enable strong parameters automatically – Benjamin Bouchet Jul 23 '13 at 13:45
  • Whitelist_attributes is application wide = you can't set it true at one place and false at another (except if you expect only one user at a time). The technique I gave you allow to use strong param everywhere, and disable it (understand: allow any param) in the controller(s) of you choice. If you need a flexible solution, that the only one way. Also take note: stong params is related to controller (or to action if you fine grain it), not to model.. – Benjamin Bouchet Jul 23 '13 at 14:36