cancan icon indicating copy to clipboard operation
cancan copied to clipboard
verified publisher icon ryanb

Add Support for Strong Parameters (1.6)

Open madmax opened this issue 13 years ago • 9 comments

Hi,

This pull request add support for strong parameters. example:

class PostController
  load_and_authorize_resource

  private

  def post_params
    params.fetch(:post, {}).permit(:title, :content)
  end

end

This is for 1.6 version

madmax avatar Mar 16 '13 10:03 madmax

@hellojere when you look at rails guides there is nice example how use strong parameters in new/edit action

http://edgeguides.rubyonrails.org/action_controller_overview.html#more-examples

example:

def blog_params
  params.fetch(:blog, {}).permit(:title, :author)
end

madmax avatar Apr 02 '13 22:04 madmax

Three issues:

  1. I can confirm @hellojere's problem.

    example:

    class AccountDomainsController < …ApplicationController
  load_and_authorize_resource class: 'Domain'
…
  private
    def domain_params
      params[:domain].permit(:full_name)
    end
end

    Error: undefined method permit' for nil:NilClasswhen accessing thenew` action

    • a fix would probably be to skip the method if there are no params?
    • workaround:
      params[:class] && params[:class].permit(:whatever)

  2. the params method should IMHO be named like the current controller/model instance, in my case account_domain_params

  3. Using 4.0.0b1 rails it looks like that skipping the strong params check (e.g. removing the method or invalid naming) will not produce ANY error! include ActiveModel::ForbiddenAttributesProtection within the model does not help! Risky…

rmoriz avatar Apr 12 '13 21:04 rmoriz

@rmoriz

  1. I write above how you should define params method it is convention that you will find in rails guide
  2. You can have multiple params methods in one controller.
  3. Did you try recent version from master branch?

madmax avatar Apr 12 '13 22:04 madmax

@madmax

  1. what happens when you access the new action of your posts_controller example?
  2. but why not stick to the naming convention?
gem 'rails', github: 'rails/rails'
gem 'cancan', :github => 'moriz/cancan'   # which is ryanb/cancan master + your patch. https://github.com/moriz/cancan

  remote: git://github.com/rails/rails.git
  revision: 436d91869b7febc0030d79adea136add2f526e49
…
  remote: git://github.com/moriz/cancan.git
  revision: c1e86b9404be768a99f16128e68d944a5d365ce8

this definitly needs tests…

rmoriz avatar Apr 12 '13 23:04 rmoriz

related:

https://github.com/ryanb/cancan/pull/763#issuecomment-15081734 https://github.com/ryanb/cancan/issues/571#issuecomment-6318535

rmoriz avatar Apr 12 '13 23:04 rmoriz

Actually your solution differs a lot compared to https://github.com/rails/strong_parameters and http://edgeguides.rubyonrails.org/action_controller_overview.html#strong-parameters (hint: require)

rmoriz avatar Apr 12 '13 23:04 rmoriz

@rmoriz read 4.5.3 More Examples from http://edgeguides.rubyonrails.org/action_controller_overview.html#strong-parameters

  1. params.fetch(:blog, {}).permit(:title, :author) Will always return hash even if :blog is empty.
  2. Convention was always model names. When you have register form controller will get params[:user] not params[:register] why do you want then name it register_params it it is user_params?

But this is up to you how you name this parameter jus pass class param like you did.

madmax avatar Apr 13 '13 06:04 madmax

+1

shoutsid avatar May 25 '13 01:05 shoutsid

Thanks for your submission! The ryanb/cancan repository has been inactive since Sep 06, 2013. Since only Ryan himself has commit permissions, the CanCan project is on a standstill.

CanCan has many open issues, including missing support for Rails 4. To keep CanCan alive, an active fork exists at cancancommunity/cancancan. The new gem is cancancan. More info is available at #994.

If your pull request or issue is still applicable, it would be really appreciated if you resubmit it to CanCanCan.

We hope to see you on the other side!

xhoy avatar Jul 01 '14 07:07 xhoy