Rails 4 Strong Parameters:How to 'Exclude'/Blacklist Attributes Instead of Permit/Whitelist

  • Home
  • Languages
  • Ruby
  • Rails 4 Strong Parameters:How to 'Exclude'/Blacklist Attributes Instead of Permit/Whitelist

Rails 4 Strong Parameters : can I 'exclude' / blacklist attributes instead of permit / whitelist?

No, this is not possible.

Blacklisting attributes would be a security issue, since your codebase can evolve, and other attributes, which should be blacklisted can be forgotten in the future.

Adding all your whitelisted attributes might seem like a complicated thing when implementing it.

However, it's the only way of keeping your application secure and avoiding disturbing things.

Strong Params + Rails4 - How do I allow not specifically?

It's not possible. This previous question covers it very clearly - Rails 4 Strong Parameters : can I 'exclude' / blacklist attributes instead of permit / whitelist?

Blacklisting attributes would be a security issue, since your codebase
can evolve, and other attributes, which should be blacklisted can be
forgotten in the future.

Rails 4 strong parameters failing when creating instances in rails console

Two things. The league_params definition goes in the controller, not the model. And params.require() should contain the name of the model that is required to be present in the parameters, not the attributes. The attribute presence check should still be in the model validations. And be sure you really want to allow access to all attributes in the League model before you use permit!. So, it should look like this:

class LeaguesController < ApplicationController

  private
    def league_params
      params.require(:league).permit!
    end

end

Update:

Yes, if you want the attributes to be restricted when accessing the model directly, you would need to switch back to using the attr_accessible in the model. That functionality has been moved into this gem: https://github.com/rails/protected_attributes.

I think it is assumed that if you are working with the model directly in the console, you don't need the attributes to be protected as you know exactly what is being entered. As the console has full access to your app, it would be just as easy to hose the entire database as it would be to maliciously assign an attribute.

Rails4 Strong parameters without database column

Please, permit only the params you expect your user send with data. If start_time is not user data for update your db, use this way:

params.require(:timeslot).permit(:employee_id, :dienstplan_id, :start_date)

Strong parameters prevents save data that user sends and you don't want he/she update.

If you use :start_time, it must be defined at your model.

Ops, I've seen your update:

@e.start_date = @e.start_date.to_s + " " + @e.start_time.to_s

If you send :start_time to an Timeslot instance them start_time must be a method of Timeslot model. Defined by rails if it is a db field, defined with attr_accesor or att_reader or defined by a def key on your source model.

If not @e.start_time trigger undefined method 'start_time'.

edited again:

Now, start_time is a model variable. Make sure it is send to the form in the same way that you do with the fields. By default we use an f <%= f.text_field :the_field %>. Just don't forget the f.

Now you must permit this field again, if you follow my first advice.

Rails 4 strong params - Undefined method name on model

You still do need the attr_accessor defining which attributes your model has.

There's also a ActiveModel::Model module you can include rather than including separate modules:

class Message
  include ActiveModel::Model

  attr_accessor :name, :email, :body

  validates :name, :email, :body, :presence => true

  def persisted?
    false
  end
end

See the ActiveModel documentation for more information.

How can I view list of permitted params using Rails strong_parameters?

No, that is not possible. Because params.require(:foo).permit(:bar) does not define a list of allowed parameters, but filters the params parameter hash at each request with the attribute names as arguments.

What you can do to see the list of allowed parameters is to take a look into your controller.

Another option might be to store the allowed parameters in a constant which can be queried from everywhere in your application:

# in the foos_controller
ALLOWED_PARAMS = [:bar]

def foo_params
  params.require(:foo).permit(*ALLOWED_PARAMS)
end

# elsewhere or in the Rails console
FoosController::ALLOWED_PARAMS
#=> [:bar]

Read more about how this filtering works: http://api.rubyonrails.org/classes/ActionController/Parameters.html


Related Topics

How to Bypass Mass Assignment Protection

Rails 3, Check CSV File Encoding Before Import

How to Force One Field in Ruby's CSV Output to Be Wrapped with Double-Quotes

Sinatra - Response.Set_Cookie Doesn't Work

Why Is Ruby's Date Class Automatically Loaded But Datetime Is Not

Learning Ruby Curses

Turning a Hash of Arrays into an Array of Hashes in Ruby

Rails 4 - Syntax Error, Unexpected Tidentifier, Expecting End-Of-Input

Rspec Testing Redirect to Url with Get Params

Is It Acceptable Practice to Patch Ruby's Base Classes, Such as Fixnum

CSV - Unquoted Fields Do Not Allow \R or \N (Line 2)

Installing Ruby 2.3 on Wsl (Windows Subsystem for Linux)

How to Convert a JSON String to an Object

How to Setup Urls for Static Site with Ruby Rack on Heroku

Why Do I Get an "Undefined Method for 'Has_Attached_File' When Installing Paperclip

How to Read a Yaml File

Counting Days Excluding Weekends

How to Parse Consecutive Tags with Nokogiri


Leave a reply



Submit