From 78d3c0f9d8d13f634b6b69838db13babbad1da69 Mon Sep 17 00:00:00 2001 From: Paul Nikitochkin Date: Thu, 8 Aug 2013 13:53:30 +0300 Subject: #11803: Move Forbidden attributes description before show post section [ci skip] --- guides/source/getting_started.md | 70 +++++++++++++++++++++------------------- 1 file changed, 36 insertions(+), 34 deletions(-) (limited to 'guides/source/getting_started.md') diff --git a/guides/source/getting_started.md b/guides/source/getting_started.md index 5b1758a771..81e57aee34 100644 --- a/guides/source/getting_started.md +++ b/guides/source/getting_started.md @@ -573,6 +573,41 @@ Finally, we redirect the user to the `show` action, which we'll define later. TIP: As we'll see later, `@post.save` returns a boolean indicating whether the model was saved or not. +If you now go to + you'll *almost* be able to create a post. Try +it! You should get an error that looks like this: + +![Forbidden attributes for new post](images/getting_started/forbidden_attributes_for_new_post.png) + +Rails has several security features that help you write secure applications, +and you're running into one of them now. This one is called +`strong_parameters`, which requires us to tell Rails exactly which parameters +we want to accept in our controllers. In this case, we want to allow the +`title` and `text` parameters, so change your `create` controller action to +look like this: + +```ruby +def create + @post = Post.new(post_params) + + @post.save + redirect_to @post +end + +private + def post_params + params.require(:post).permit(:title, :text) + end +``` + +See the `permit`? It allows us to accept both `title` and `text` in this +action. + +TIP: Note that `def post_params` is private. This new approach prevents an attacker from +setting the model's attributes by manipulating the hash passed to the model. +For more information, refer to +[this blog post about Strong Parameters](http://weblog.rubyonrails.org/2012/3/21/strong-parameters/). + ### Showing Posts If you submit the form again now, Rails will complain about not finding @@ -618,44 +653,11 @@ content:

``` -If you now go to - you'll *almost* be able to create a post. Try -it! You should get an error that looks like this: - -![Forbidden attributes for new post](images/getting_started/forbidden_attributes_for_new_post.png) - -Rails has several security features that help you write secure applications, -and you're running into one of them now. This one is called -`strong_parameters`, which requires us to tell Rails exactly which parameters -we want to accept in our controllers. In this case, we want to allow the -`title` and `text` parameters, so change your `create` controller action to -look like this: - -``` -def create - @post = Post.new(post_params) - - @post.save - redirect_to @post -end - -private - def post_params - params.require(:post).permit(:title, :text) - end -``` - -See the `permit`? It allows us to accept both `title` and `text` in this -action. With this change, you should finally be able to create new posts. +With this change, you should finally be able to create new posts. Visit and give it a try! ![Show action for posts](images/getting_started/show_action_for_posts.png) -TIP: Note that `def post_params` is private. This new approach prevents an attacker from -setting the model's attributes by manipulating the hash passed to the model. -For more information, refer to -[this blog post about Strong Parameters](http://weblog.rubyonrails.org/2012/3/21/strong-parameters/). - ### Listing all posts We still need a way to list all our posts, so let's do that. -- cgit v1.2.3