$30 off During Our Annual Pro Sale. View Details »

Strong Parameters in Rails 4

Strong Parameters in Rails 4

The history of Strong Parameters in Rails 3, changes around it's use due to the mass-assignment vulnerability, and the new convention for using them in Rails 4.

Max Seeley

June 03, 2013
Tweet

More Decks by Max Seeley

Other Decks in Technology

Transcript

  1. Matthew Seeley
    @maxsilver
    Strong Parameters in Rails 4
    Monday, June 3, 13

    View Slide

  2. What are
    Strong Parameters?
    Monday, June 3, 13

    View Slide

  3. Monday, June 3, 13

    View Slide

  4. “Strong Parameters”
    are
    Mass-assignment protection
    Monday, June 3, 13

    View Slide

  5. This is Mass-assignment
    Monday, June 3, 13

    View Slide

  6. Example
    Monday, June 3, 13

    View Slide

  7. Backwards in history...
    Monday, June 3, 13

    View Slide

  8. February 2012
    Monday, June 3, 13

    View Slide

  9. Monday, June 3, 13

    View Slide

  10. Monday, June 3, 13

    View Slide

  11. Business Rules :
    Is this code safe?
    Any authenticated user can edit their own account
    Monday, June 3, 13

    View Slide

  12. What if I make this change?
    Monday, June 3, 13

    View Slide

  13. Mass assignment was vulnerable by default,
    if a developer wasn’t careful about how
    they updated an object’s parameters.
    Monday, June 3, 13

    View Slide

  14. Monday, June 3, 13

    View Slide

  15. Monday, June 3, 13

    View Slide

  16. Protection!
    attr_accessible, attr_protected
    Resolved this issue,
    *if* you remembered to use them.
    Monday, June 3, 13

    View Slide

  17. Monday, June 3, 13

    View Slide

  18. March 2012
    Monday, June 3, 13

    View Slide

  19. Monday, June 3, 13

    View Slide

  20. Monday, June 3, 13

    View Slide

  21. Monday, June 3, 13

    View Slide

  22. Monday, June 3, 13

    View Slide

  23. Today
    Monday, June 3, 13

    View Slide

  24. Today in Rails 3 - Parameter Control
    Attributes require attr_accessible to be mass assigned
    and this distinction lives in the model
    Monday, June 3, 13

    View Slide

  25. New in Rails 4
    Monday, June 3, 13

    View Slide

  26. Monday, June 3, 13

    View Slide

  27. How to use?
    Monday, June 3, 13

    View Slide

  28. Rails 4 - Parameter Control
    Attributes require permitted key to be mass assigned
    and this distinction lives in the controller
    params.require(:hash_key).permit(:a, :bunch, :of, :keys)
    params.permit(:foo, {:bar => []})
    Monday, June 3, 13

    View Slide

  29. Monday, June 3, 13

    View Slide

  30. Monday, June 3, 13

    View Slide

  31. Matthew Seeley
    @maxsilver
    www.matthewseeley.net
    Further Reading :
    Strong Parameters [Rails 4 Countdown to 2013] - Remarkable Labs (Rida Al Barazi)
    http://blog.remarkablelabs.com/2012/12/strong-parameters-rails-4-countdown-to-2013
    Strong Parameters in Rails 4 - Captured Sparks (Robin Fisher)
    http://capturedsparks.com/2013/03/05/strong-parameters-in-rails-4/
    Monday, June 3, 13

    View Slide