Reputation: 92427
How to restrict params Rails passes to an object?
How can I exclude (or explicitly include) params passed to an object like in the following example:
def create
@something = Something.new(params[:something])
...
@something.save
end
Say for example something had a field trust_level that should not be settable through public users (which are allowed to create the object). It would be easy to send this field via HTTP even if the provided form doesn't contain it. So how can be prevented that this field is passed to the new (or update_attributes) method?
Upvotes: 0
Views: 734
Answers (2)
Reputation: 19176
Another way is to filter out unwanted params. Just in case you want to get rid only of a specific param and you can't use attr_accessible (which is a better solution to your problem).
hsh.reject {| key, value | block } → a_hashSame as
Hash#delete_if, but works on (and returns) a copy of the hsh. Equivalent to hsh.dup.delete_if.enum.reject {| obj | block } → array enum.reject → an_enumerator
Upvotes: 1
Reputation: 160191
Use attr_accessible to define what's available to mass-assignment.
(That's a link to the docs but it's a little hard to tell, so here it is again.)
Upvotes: 4
Related Questions
- Rails only allowing certain strings as a param
- Adding a key to the permitted params
- Restricting any access to a model in rails
- How to pass parameter in Rails routes but protect it from user setting it
- Rails4 // Protect visibility of parameters
- rails 4 use strong_parameter or use protected_attribute with attr_accessible
- Protect ruby object attribute from being accessed
- Rails 3: How Does One Restrict Access to IDs
- Restrict access to some model items in Rails 3
- How to protect a Rails model attribute?