From 78d3c0f9d8d13f634b6b69838db13babbad1da69 Mon Sep 17 00:00:00 2001
From: Paul Nikitochkin
Date: Thu, 8 Aug 2013 13:53:30 +0300
Subject: #11803: Move Forbidden attributes description before show post
section
[ci skip]
---
guides/source/getting_started.md | 70 +++++++++++++++++++++-------------------
1 file changed, 36 insertions(+), 34 deletions(-)
(limited to 'guides/source/getting_started.md')
diff --git a/guides/source/getting_started.md b/guides/source/getting_started.md
index 5b1758a771..81e57aee34 100644
--- a/guides/source/getting_started.md
+++ b/guides/source/getting_started.md
@@ -573,6 +573,41 @@ Finally, we redirect the user to the `show` action, which we'll define later.
TIP: As we'll see later, `@post.save` returns a boolean indicating
whether the model was saved or not.
+If you now go to
+ you'll *almost* be able to create a post. Try
+it! You should get an error that looks like this:
+
+![Forbidden attributes for new post](images/getting_started/forbidden_attributes_for_new_post.png)
+
+Rails has several security features that help you write secure applications,
+and you're running into one of them now. This one is called
+`strong_parameters`, which requires us to tell Rails exactly which parameters
+we want to accept in our controllers. In this case, we want to allow the
+`title` and `text` parameters, so change your `create` controller action to
+look like this:
+
+```ruby
+def create
+ @post = Post.new(post_params)
+
+ @post.save
+ redirect_to @post
+end
+
+private
+ def post_params
+ params.require(:post).permit(:title, :text)
+ end
+```
+
+See the `permit`? It allows us to accept both `title` and `text` in this
+action.
+
+TIP: Note that `def post_params` is private. This new approach prevents an attacker from
+setting the model's attributes by manipulating the hash passed to the model.
+For more information, refer to
+[this blog post about Strong Parameters](http://weblog.rubyonrails.org/2012/3/21/strong-parameters/).
+
### Showing Posts
If you submit the form again now, Rails will complain about not finding
@@ -618,44 +653,11 @@ content:
```
-If you now go to
- you'll *almost* be able to create a post. Try
-it! You should get an error that looks like this:
-
-![Forbidden attributes for new post](images/getting_started/forbidden_attributes_for_new_post.png)
-
-Rails has several security features that help you write secure applications,
-and you're running into one of them now. This one is called
-`strong_parameters`, which requires us to tell Rails exactly which parameters
-we want to accept in our controllers. In this case, we want to allow the
-`title` and `text` parameters, so change your `create` controller action to
-look like this:
-
-```
-def create
- @post = Post.new(post_params)
-
- @post.save
- redirect_to @post
-end
-
-private
- def post_params
- params.require(:post).permit(:title, :text)
- end
-```
-
-See the `permit`? It allows us to accept both `title` and `text` in this
-action. With this change, you should finally be able to create new posts.
+With this change, you should finally be able to create new posts.
Visit and give it a try!
![Show action for posts](images/getting_started/show_action_for_posts.png)
-TIP: Note that `def post_params` is private. This new approach prevents an attacker from
-setting the model's attributes by manipulating the hash passed to the model.
-For more information, refer to
-[this blog post about Strong Parameters](http://weblog.rubyonrails.org/2012/3/21/strong-parameters/).
-
### Listing all posts
We still need a way to list all our posts, so let's do that.
--
cgit v1.2.3