diff options
| author | Steve Klabnik <steve@steveklabnik.com> | 2013-01-21 23:42:06 -0500 |
|---|---|---|
| committer | Steve Klabnik <steve@steveklabnik.com> | 2013-01-22 00:08:31 -0500 |
| commit | aadd16f913da8b93ac1d35bb2c74b18d73b47712 (patch) | |
| tree | 0e2ea4b00dc71df75d557f19923ec2144bd62d4e /guides/source | |
| parent | a1748f310ebf3ad17221c570343f7329137f0f02 (diff) | |
| download | rails-aadd16f913da8b93ac1d35bb2c74b18d73b47712.tar.gz rails-aadd16f913da8b93ac1d35bb2c74b18d73b47712.tar.bz2 rails-aadd16f913da8b93ac1d35bb2c74b18d73b47712.zip | |
Getting Started Guide: strong_parameters
Stuff didn't work because of strong_parameters. Now the right calls are
in place.
Diffstat (limited to 'guides/source')
| -rw-r--r-- | guides/source/getting_started.md | 41 |
1 files changed, 33 insertions, 8 deletions
diff --git a/guides/source/getting_started.md b/guides/source/getting_started.md index 7d86b3866a..dd2fd18e17 100644 --- a/guides/source/getting_started.md +++ b/guides/source/getting_started.md @@ -583,9 +583,31 @@ content: </p> ``` -Finally, if you now go to -<http://localhost:3000/posts/new> you'll -be able to create a post. Try it! +If you now go to +<http://localhost:3000/posts/new> you'll *almost* be able to create a post. Try +it! You should get an error that looks like this: + + + +Rails has several security features that help you write secure applications, +and you're running into one of them now. This one is called +'strong_parameters,' which requires us to tell Rails exactly which parameters +we want to accept in our controllers. In this case, we want to allow the +'title' and 'text' parameters, so change your `create` controller action to +look like this: + +``` + def create + @post = Post.new(params[:post].permit(:title, :text)) + + @post.save + redirect_to action: :show, id: @post.id + end +``` + +See the `permit`? It allows us to accept both `title` and `text` in this +action. With this change, you should finally be able to create new `Post`s. +Visit <http://localhost:3000/posts/new> and give it a try!  @@ -729,7 +751,7 @@ def new end def create - @post = Post.new(params[:post]) + @post = Post.new(params[:post].permit(:title, :text)) if @post.save redirect_to action: :show, id: @post.id @@ -864,8 +886,8 @@ method: :patch do |f| %> This time we point the form to the `update` action, which is not defined yet but will be very soon. -The `method: :patch` option tells Rails that we want this form to be -submitted via the `PUT` HTTP method which is the HTTP method you're expected to use to +The `method: :patch` option tells Rails that we want this form to be submitted +via the `PATCH` HTTP method which is the HTTP method you're expected to use to **update** resources according to the REST protocol. TIP: By default forms built with the _form_for_ helper are sent via `POST`. @@ -883,7 +905,7 @@ And then create the `update` action in `app/controllers/posts_controller.rb`: def update @post = Post.find(params[:id]) - if @post.update(params[:post]) + if @post.update(params[:post].permit(:title, :text)) redirect_to action: :show, id: @post.id else render 'edit' @@ -1388,7 +1410,7 @@ Let's wire up the `create` in `app/controllers/comments_controller.rb`: class CommentsController < ApplicationController def create @post = Post.find(params[:post_id]) - @comment = @post.comments.create(params[:comment]) + @comment = @post.comments.create(params[:comment].permit(:commenter, :body)) redirect_to post_path(@post) end end @@ -1559,6 +1581,9 @@ Then you make the `app/views/posts/show.html.erb` look like the following: <%= @post.text %> </p> +<h2>Comments</h2> +<%= render @post.comments %> + <h2>Add a comment:</h2> <%= render "comments/form" %> |