Reputation: 81520
Rationale for the controller having the strong params whitelist
In most Rails applications I've seen, the controller lists what attributes are or aren't permitted when submitting attributes.
class PersonsController < ApplicationController
# rest of code
def person_params
params.require(:person).permit(:name)
end
end
We don't see something like
# Hypothetical code only
class Person < ActiveRecord::Base
def my_param_whitelist
[:name]
end
end
Even though it'd seem more DRY to have the whitelist within the model class.
What is the rationale for the controller having the whitelist, rather than the models that are being modified?
Upvotes: 1
Views: 36
Answers (1)
Reputation: 6957
I have not thought about it too technically but here is a gut answer.
If you declare the permitted params in the model, yes, that keeps the code dry and you do not have to repeat yourself in every controller but that means every piece of code that has to communicate with the model has to go through the same white list.
If you keep the allowed params in the controller, however, you can allow different controllers to have their own whitelists.
For example, a user(UserController) may not be able to change his/her registered username/email but an admin(AdminController) may be able to do that. In such a case the UserController and AdminController have their own white list of permitted params.
Upvotes: 2
Related Questions
- Strong Params: params.permit returns Unpermitted parameters despite whitelist
- Rails: Strong Params Not Working, Forbidden Attributes
- whitelisting params for model without controllers
- Strong params rails 4 permitting params
- Why I need to specify permit again in the controller?
- Why "permit" in Strong Parameters?
- Why Strong Params contains permitted: false
- Strong params and security
- Value whitelist using strong parameters in Rails 4
- Rails 4 unpermitted params that should be permitted