-1

My User model is as follows (user.rb)

class User < ActiveRecord::Base
 validates :password, presence: true, length: { minimum: 6 }
 validates :password_confirmation, presence: true
 has_secure_password
 validates(:name, presence: true, length: {maximum: 50})
 VALID_EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/i
 validates(:email, presence: true,format: { with: VALID_EMAIL_REGEX }, uniqueness: true)
end

My UsersController is as follows (users_controller.rb)

class UsersController < ApplicationController
  def new
  end

  private
  def user_params
  params.require(:user).permit(:name)
  end
end

So I should only be able to mass-update(mass-assign) the name attribute only.

But when I logon to rails console and type the following command 

user=User.find(1)
user.update_attributes(name: "ck",email: "ck@gmail.com", password: "ckck9090", password_confirmation: "ckck9090")
user.save

I am still able to update email.

I didn't mention the :email attributes in the strong parameter .permit(). So how can I still mass-update the email attribute?

Am I missing something?

pintua
  • 63
  • 5

2 Answers2

2

The key to your answer is here: 

 def user_params
    params.require(:user).permit(:name)
 end

You are testing through the Rails console and not using the params hash. Rails has no clue where your arguments come from and will use them unless otherwise specified.

If you truly want to see your strong params in action, I suggest you do this:

  1. Make a create method in your controller and verify you have the correct routes to trigger it
  2. Create a user,

like this:

@user = User.new user_params
@user.save
  1. Finally you have to add a breakpoint so you can see the magic. I suggest adding byebug to your Gemfile, that way you can stop the execution by adding byebug or debugger anywhere in your code. So all together, this would look something

like this: 

class UsersController < ApplicationController
  def new
  end

  def create
    @user = User.new user_params
    byebug
    @user.save
  end

  private
  def user_params
  params.require(:user).permit(:name)
  end
end

This is not very idiomatic but should work to illustrate. From there, you can type in @user in the REPL to see what was put in there. You should be able to see the filtering taking place.

Max Alcala
  • 781
  • 6
  • 17
  • Hey @Max Alcala, thanks for the reply. As per your reply, I updated the controller, routes file. But when I try to access the url `http://localhost:3000/users/create?name=moniddd&email=mofffmoddmo@gmail.com&password=bhak99bddhak&password_confirmation=bhak99bddhak`, it throws an error `param is missing or the value is empty: user` – pintua Sep 14 '15 at 15:26
  • Are you able to stop execution via `byebug`? If so, then check and see what `params` evaluates to whenever you hit the breakpoint in the code above. You should see, at minimum, the `params` object. I also just noticed you have `param` instead of `params` - there might be a typo? – Max Alcala Sep 14 '15 at 17:11
1

As far as I know strong_parameters does not prohibit using mass-assignment altogether, but simply prohibits the use of params as an argument in mass-assignment. Therefore you can still do that manually.

Vitaly Stanchits
  • 658
  • 2
  • 7
  • 24