diff options
author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2012-09-20 10:47:30 -0700 |
---|---|---|
committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2012-09-20 10:47:30 -0700 |
commit | 6e3532d5e496d611da21f7a5bf67a7d7410400df (patch) | |
tree | 6c03189620497606d63cb95853b8daf1d5cc271c | |
parent | 303448950013444b9f7d71defb4bb503a29eccf2 (diff) | |
parent | 356eed9c6034064c097cf607588185b1c526d93b (diff) | |
download | rails-6e3532d5e496d611da21f7a5bf67a7d7410400df.tar.gz rails-6e3532d5e496d611da21f7a5bf67a7d7410400df.tar.bz2 rails-6e3532d5e496d611da21f7a5bf67a7d7410400df.zip |
Merge pull request #7719 from frodsan/strong_params_docs_part_two
Strong Parameters documentation
3 files changed, 30 insertions, 15 deletions
diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb index 24768b23a8..55cc62a15e 100644 --- a/actionpack/lib/action_controller/metal/strong_parameters.rb +++ b/actionpack/lib/action_controller/metal/strong_parameters.rb @@ -271,9 +271,9 @@ module ActionController # == Strong Parameters # - # It provides an interface for proctecting attributes from end-user - # assignment. This makes Action Controller parameters are forbidden - # to be used in Active Model mass assignmets until they have been + # It provides an interface for protecting attributes from end-user + # assignment. This makes Action Controller parameters forbidden + # to be used in Active Model mass assignment until they have been # whitelisted. # # In addition, parameters can be marked as required and flow through a @@ -281,10 +281,12 @@ module ActionController # effort. # # class PeopleController < ActionController::Base - # # This will raise an ActiveModel::ForbiddenAttributes exception because - # # it's using mass assignment without an explicit permit step. + # # Using "Person.create(params[:person])" would raise an + # # ActiveModel::ForbiddenAttributes exception because it'd + # # be using mass assignment without an explicit permit step. + # # This is the recommended form: # def create - # Person.create(params[:person]) + # Person.create(person_params) # end # # # This will pass with flying colors as long as there's a person key in the diff --git a/activemodel/lib/active_model/deprecated_mass_assignment_security.rb b/activemodel/lib/active_model/deprecated_mass_assignment_security.rb index 16b8466e55..2ea69991fc 100644 --- a/activemodel/lib/active_model/deprecated_mass_assignment_security.rb +++ b/activemodel/lib/active_model/deprecated_mass_assignment_security.rb @@ -1,8 +1,8 @@ module ActiveModel - module DeprecatedMassAssignmentSecurity + module DeprecatedMassAssignmentSecurity # :nodoc: extend ActiveSupport::Concern - module ClassMethods + module ClassMethods # :nodoc: def attr_protected(*args) raise "`attr_protected` is extracted out of Rails into a gem. " \ "Please use new recommended protection model for params " \ diff --git a/activemodel/lib/active_model/forbidden_attributes_protection.rb b/activemodel/lib/active_model/forbidden_attributes_protection.rb index a5e4c4f650..4c05b19cba 100644 --- a/activemodel/lib/active_model/forbidden_attributes_protection.rb +++ b/activemodel/lib/active_model/forbidden_attributes_protection.rb @@ -1,14 +1,27 @@ module ActiveModel + # Raised when forbidden attributes are used for mass assignment. + # + # class Person < ActiveRecord::Base + # end + # + # params = ActionController::Parameters.new(name: 'Bob') + # Person.new(params) + # # => ActiveModel::ForbiddenAttributesError + # + # params.permit! + # Person.new(params) + # # => #<Person id: nil, name: "Bob"> class ForbiddenAttributesError < StandardError end - module ForbiddenAttributesProtection - def sanitize_for_mass_assignment(attributes, options = {}) - if attributes.respond_to?(:permitted?) && !attributes.permitted? - raise ActiveModel::ForbiddenAttributesError - else - attributes + module ForbiddenAttributesProtection # :nodoc: + protected + def sanitize_for_mass_assignment(attributes, options = {}) + if attributes.respond_to?(:permitted?) && !attributes.permitted? + raise ActiveModel::ForbiddenAttributesError + else + attributes + end end - end end end |