Strong Parameters in Rails 4

Matthew Seeley @maxsilver Strong Parameters in Rails 4 Monday, June
3, 13

What are Strong Parameters? Monday, June 3, 13

Monday, June 3, 13

“Strong Parameters” are Mass-assignment protection Monday, June 3, 13

This is Mass-assignment Monday, June 3, 13

Example Monday, June 3, 13

Backwards in history... Monday, June 3, 13

February 2012 Monday, June 3, 13

Monday, June 3, 13

Business Rules : Is this code safe? Any authenticated user
can edit their own account Monday, June 3, 13

What if I make this change? Monday, June 3, 13

Mass assignment was vulnerable by default, if a developer wasn’t
careful about how they updated an object’s parameters. Monday, June 3, 13

Monday, June 3, 13

Protection! attr_accessible, attr_protected Resolved this issue, *if* you remembered to
use them. Monday, June 3, 13

Monday, June 3, 13

March 2012 Monday, June 3, 13

Monday, June 3, 13

Today Monday, June 3, 13

Today in Rails 3 - Parameter Control Attributes require attr_accessible
to be mass assigned and this distinction lives in the model Monday, June 3, 13

New in Rails 4 Monday, June 3, 13

Monday, June 3, 13

How to use? Monday, June 3, 13

Rails 4 - Parameter Control Attributes require permitted key to
be mass assigned and this distinction lives in the controller params.require(:hash_key).permit(:a, :bunch, :of, :keys) params.permit(:foo, {:bar => []}) Monday, June 3, 13

Monday, June 3, 13

Matthew Seeley @maxsilver www.matthewseeley.net Further Reading : Strong Parameters [Rails
4 Countdown to 2013] - Remarkable Labs (Rida Al Barazi) http://blog.remarkablelabs.com/2012/12/strong-parameters-rails-4-countdown-to-2013 Strong Parameters in Rails 4 - Captured Sparks (Robin Fisher) http://capturedsparks.com/2013/03/05/strong-parameters-in-rails-4/ Monday, June 3, 13

Strong Parameters in Rails 4

Strong Parameters in Rails 4

Max Seeley

More Decks by Max Seeley

Other Decks in Technology

Featured

Transcript

Matthew Seeley @maxsilver Strong Parameters in Rails 4 Monday, June

What are Strong Parameters? Monday, June 3, 13

Monday, June 3, 13

“Strong Parameters” are Mass-assignment protection Monday, June 3, 13

This is Mass-assignment Monday, June 3, 13

Example Monday, June 3, 13

Backwards in history... Monday, June 3, 13

February 2012 Monday, June 3, 13

Monday, June 3, 13

Monday, June 3, 13

Business Rules : Is this code safe? Any authenticated user

What if I make this change? Monday, June 3, 13

Mass assignment was vulnerable by default, if a developer wasn’t

Monday, June 3, 13

Monday, June 3, 13

Protection! attr_accessible, attr_protected Resolved this issue, if you remembered to

Monday, June 3, 13

March 2012 Monday, June 3, 13

Monday, June 3, 13

Monday, June 3, 13

Monday, June 3, 13

Monday, June 3, 13

Today Monday, June 3, 13

Today in Rails 3 - Parameter Control Attributes require attr_accessible

New in Rails 4 Monday, June 3, 13

Monday, June 3, 13

How to use? Monday, June 3, 13

Rails 4 - Parameter Control Attributes require permitted key to

Monday, June 3, 13

Monday, June 3, 13

Matthew Seeley @maxsilver www.matthewseeley.net Further Reading : Strong Parameters [Rails