0

So this is probably going to be a very dumb question but i've set up Oauth with twitter as the provider in a similar way to Ryan Bates's 'Simple Omniauth Railscast - my question is now that that is set up and working should i be setting strong parameters in my sessions controller or is this not necessary?

SessionsController.rb

class SessionsController < ApplicationController

    def create

    @user = User.find_by_uid(auth_hash[:uid]) || User.create_user(auth_hash)

    session[:uid] = @user.id

    if @user

      redirect_to root_path

    else

      redirect_to root_path, flash: {signinerror:  "Oops, something went wrong with your sign in. Please try again."}

    end
  end

  def auth_hash

    request.env['omniauth.auth']

  end

  def destroy

    session[:uid] = nil

    redirect_to root_path

  end
end

User.rb

class User < ActiveRecord::Base

has_many :opinions

  def self.create_user(auth_hash)
        create do |user|
            user.provider = auth_hash[:provider]
            user.name = auth_hash[:info][:name]
            user.uid = auth_hash[:uid]
            user.username = auth_hash[:info][:nickname]
            user.email = auth_hash[:info][:email]
            user.image = auth_hash[:info][:image]
        end 
  end   

end

Thanks

Puce
  • 1,003
  • 14
  • 28
Robbo
  • 1,292
  • 2
  • 18
  • 41

1 Answers1

0

Since you don't use mass assignment on object creation, strong parameters will not give you any additional security.

With this plugin Action Controller parameters are forbidden to be used in Active Model mass assignments until they have been whitelisted.

https://github.com/rails/strong_parameters

Ulrich Thomas Gabor
  • 6,584
  • 4
  • 27
  • 41