0

I understand strong parameters are used in cases where we are creating an object and putting it into our database. For example,

User.create(params[:user]) would have to be User.create(params.require(:user).permit(:name, :email, :password).

This is standard and simple to understand, however, are strong parameters required when updating a column or a few attributes in a model?

current_user.update_attributes(params[:user]). Does that have to be current_user.update_attributes(params.require(:user).permit(:name, :email, :password).

Lastly, I don't think it is needed for this case:

current_user.update_column(authentication_token: nil), but would it have needed to be updated if instead we had params = { authentication_token: nil }, and did current_user.update_column(params)?

David
  • 7,028
  • 10
  • 48
  • 95

3 Answers3

0

I experimented on Rails 4 environment with both update and update_attributes method calls, and I received identical errors for both method calls: ActiveModel::ForbiddenAttributesError in PeopleController#update . In the controller I used @person.update(params[:person]) and @person.update_attributes(params[:person]); so that’s why it says PeopleController in the error message.

Based on the API documentation, it looks like in Rails 4 update_attributes is alias for update. So I guess update_attributes does the same thing as update method in Rails 4:

update_attributes(attributes) public

Alias for ActiveRecord::Persistence#update

Therefore, both update and update_attributes methods have to use strong parameters to update database. I also tested update_attributes method with strong parameters: @person.update_attributes(person_parameters) and it worked

updated

About update_attribute and update_column methods. I just tested those for the very first time through a controller, and with those methods you don’t need to use strong parameters inside of controller ( which was a bit surprise to me), even when you are using params (user provided values). So with update_attribute and update_column methods you can update database without using strong parameters.

jyrkim
  • 2,849
  • 1
  • 24
  • 33
0

Any time you pass an instance of ActionController::Parameters to one of the mass assignment apis (new, create, update_attributes, update etc.) you need to permit the appropriate fields.

In a controller the params method returns an instance of ActionController::Parameters, as are any hashes contained within it, so you need to use permit.

If you do 

params = { foo: bar }
record.update_attributes(params) or

record.update_attributes(foo: bar)

Then you're passing a normal hash and so you don't need to use permit

Frederick Cheung
  • 83,189
  • 8
  • 152
  • 174
0

Are strong parameters required when updating a column or a few attributes in a model?

Yes, if the model is being updated with values from the end-user. Never trust the user input.

Suppose the current_user model has a 'role_id' column, which could be 1 for super user, 2 for normal user and 3 for guest. If you don't sanitize the parameters, the end-user could easily forge a request to gain privileges and compromise your application security.

Regarding your last question, you're right. You don't need strong parameters to update the record with values you already know.

Wilson Silva
  • 10,046
  • 6
  • 26
  • 31