Strong Parameters in Rails 4

Transcript

1. Matthew Seeley
   @maxsilver
   Strong Parameters in Rails 4
   Monday, June 3, 13
   

   View Slide

2. What are
   Strong Parameters?
   Monday, June 3, 13
   

   View Slide

3. Monday, June 3, 13
   

   View Slide

4. “Strong Parameters”
   are
   Mass-assignment protection
   Monday, June 3, 13
   

   View Slide

5. This is Mass-assignment
   Monday, June 3, 13
   

   View Slide

6. Example
   Monday, June 3, 13
   

   View Slide

7. Backwards in history...
   Monday, June 3, 13
   

   View Slide

8. February 2012
   Monday, June 3, 13
   

   View Slide

9. Monday, June 3, 13
   

   View Slide

10. Monday, June 3, 13
    

    View Slide

11. Business Rules :
    Is this code safe?
    Any authenticated user can edit their own account
    Monday, June 3, 13
    

    View Slide

12. What if I make this change?
    Monday, June 3, 13
    

    View Slide

13. Mass assignment was vulnerable by default,
    if a developer wasn’t careful about how
    they updated an object’s parameters.
    Monday, June 3, 13
    

    View Slide

14. Monday, June 3, 13
    

    View Slide

15. Monday, June 3, 13
    

    View Slide

16. Protection!
    attr_accessible, attr_protected
    Resolved this issue,
    *if* you remembered to use them.
    Monday, June 3, 13
    

    View Slide

17. Monday, June 3, 13
    

    View Slide

18. March 2012
    Monday, June 3, 13
    

    View Slide

19. Monday, June 3, 13
    

    View Slide

20. Monday, June 3, 13
    

    View Slide

21. Monday, June 3, 13
    

    View Slide

22. Monday, June 3, 13
    

    View Slide

23. Today
    Monday, June 3, 13
    

    View Slide

24. Today in Rails 3 - Parameter Control
    Attributes require attr_accessible to be mass assigned
    and this distinction lives in the model
    Monday, June 3, 13
    

    View Slide

25. New in Rails 4
    Monday, June 3, 13
    

    View Slide

26. Monday, June 3, 13
    

    View Slide

27. How to use?
    Monday, June 3, 13
    

    View Slide

28. Rails 4 - Parameter Control
    Attributes require permitted key to be mass assigned
    and this distinction lives in the controller
    params.require(:hash_key).permit(:a, :bunch, :of, :keys)
    params.permit(:foo, {:bar => []})
    Monday, June 3, 13
    

    View Slide

29. Monday, June 3, 13
    

    View Slide

30. Monday, June 3, 13
    

    View Slide

31. Matthew Seeley
    @maxsilver
    www.matthewseeley.net
    Further Reading :
    Strong Parameters [Rails 4 Countdown to 2013] - Remarkable Labs (Rida Al Barazi)
    http://blog.remarkablelabs.com/2012/12/strong-parameters-rails-4-countdown-to-2013
    Strong Parameters in Rails 4 - Captured Sparks (Robin Fisher)
    http://capturedsparks.com/2013/03/05/strong-parameters-in-rails-4/
    Monday, June 3, 13
    

    View Slide