Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Strong Parameters in Rails 4

Strong Parameters in Rails 4

The history of Strong Parameters in Rails 3, changes around it's use due to the mass-assignment vulnerability, and the new convention for using them in Rails 4.

Max Seeley

June 03, 2013

More Decks by Max Seeley

Other Decks in Technology


  1. Business Rules : Is this code safe? Any authenticated user

    can edit their own account Monday, June 3, 13
  2. Mass assignment was vulnerable by default, if a developer wasn’t

    careful about how they updated an object’s parameters. Monday, June 3, 13
  3. Today in Rails 3 - Parameter Control Attributes require attr_accessible

    to be mass assigned and this distinction lives in the model Monday, June 3, 13
  4. Rails 4 - Parameter Control Attributes require permitted key to

    be mass assigned and this distinction lives in the controller params.require(:hash_key).permit(:a, :bunch, :of, :keys) params.permit(:foo, {:bar => []}) Monday, June 3, 13
  5. Matthew Seeley @maxsilver www.matthewseeley.net Further Reading : Strong Parameters [Rails

    4 Countdown to 2013] - Remarkable Labs (Rida Al Barazi) http://blog.remarkablelabs.com/2012/12/strong-parameters-rails-4-countdown-to-2013 Strong Parameters in Rails 4 - Captured Sparks (Robin Fisher) http://capturedsparks.com/2013/03/05/strong-parameters-in-rails-4/ Monday, June 3, 13