This course will be retired on June 1, 2025.
Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
We've set up a route so that form submissions get sent to the PagesController's create method. But that method doesn't exist yet. Let's set it up now. Within the create method, we're going to need to specify which parameters are safe to use to create the new Page object.
Important Update
This video recommends calling render text:, which works fine in Rails 5.0 (the recommended version to use when following along with this course). But if you happen to have generated your app using Rails 5.1 or later, render text: no longer works.
In both Rails 5.0 and 5.1, you can replace render text: with render plain:, and it will work correctly.
Strong Parameters
Suppose you have a parameters object with a bunch of parameters you don't want. All the parameters you do want are nested under the page parameter:
2.3.0 :007 > params
=> <ActionController::Parameters {"stuff"=>"%$\#@", "page"=>{"title"=>"title", "body"=>"body", "slug"=>"slug", "is_admin"=>"true"}} permitted: false>
Before we can use these parameters to create a model object, we're going to need to indicate which parameters are required to be present, so that requests without them can be rejected. We'll also need to indicate which parameters are permitted, so that other, possibly malicious parameters can be discarded.
The require method indicates a parameter that's required. So, we'll call require with the symbol :page.
2.3.0 :008 > params.require(:page)
=> <ActionController::Parameters {"title"=>"title", "body"=>"body", "slug"=>"slug", "is_admin"=>"true"} permitted: false>
The require method returns the value of the parameter being required, which in this case is another ActionController::Parameters object.
The permit method takes the names of one or more parameters that are permitted. Let's try calling permit on this parameters object, to indicate which parameters are permitted (and to discard that unwanted is_admin parameter). We'll chain the methods together, calling permit directly on the return value of require.
2.3.0 :009 > params.require(:page).permit(:title)
=> <ActionController::Parameters {"title"=>"title"} permitted: true>
We got back a new parameters object. It contains only the title parameter, since that was the only one we permitted. And notice that the permitted attribute of the object is true this time. That means we can use it to create a new model object.
Let's try that out. We'll take the same command, and pass the result to a call to Page.new...
2.3.0 :010 > Page.new(params.require(:page).permit(:title))
=> #<Page id: nil, title: "title", body: nil, slug: nil, created_at: nil, updated_at: nil>
Instead of an error, we get a new Page object back. And because we permitted the title parameter, the Page object's title attribute is set.
Related Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign upRelated Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign up
We've set up a route, so
that form submissions get sent to
0:00
the PagesController's create method,
but that method doesn't exist yet.
0:03
Let's set it up now.
0:08
We'll go into the app controllers folder,
open up the pages controller,
0:09
and add a new create method
down here at the bottom.
0:14
Within the method, our form parameters
will be available within the params
0:21
object, just like the URL
parameters were before.
0:25
Let's look at the contents of params.
0:29
We'll render our responses as plain text,
so
0:31
we don't have to create
an ERB template.
0:33
So, we'll call render, and
we'll give it a keyword argument of text.
0:36
Then we'll take the params objects and
call a method name to_json on it
0:42
to convert it to JavaScript
object notation format.
0:46
That will allow us to see
the entire object easily.
0:50
Save that, and resubmit the form,
and you'll see Json similar to this.
0:53
Let's try to use these parameters
to create a new page object.
0:59
We'll assign our object to
the page instance variable.
1:03
To create the object, we'll call Page.new,
and pass the parameters as an argument.
1:07
Save that and go back to our browser.
1:15
But if we resubmit the form, we'll see
an ActiveModel::ForbiddenAttributesError.
1:18
The problem is that we tried to use
parameters to create a new model object
1:23
without specifying which
parameters are allowed for use.
1:26
Remember how we showed you a scenario
where a malicious user added the parameter
1:30
to a POST request turning himself into a
site admin and causing all sorts of havoc?
1:34
That's what's going on here,
1:39
rails is trying to protect your
app from unwanted parameters.
1:40
That's why rails uses
the strong parameters library.
1:44
Strong parameters helps keep your apps
from hacked, by requiring you to specify
1:47
which parameters are allowed, before you
can use them to create a model object.
1:51
Let's look at the contents of params
again, and see which ones we should allow.
1:56
We'll delete this line that creates
a new page from our controller.
2:00
And then we'll resubmit our form
data to see the parameters.
2:03
There's a bunch of stuff,
like the authenticity token and
2:09
the controller parameters
that we don't really need.
2:13
Rails just uses those internally.
2:15
So, we'll need to discard those.
2:18
It looks like everything we actually need
to build a page object is nested here in
2:20
this group of parameters, and
if I scroll off to the right here,
2:24
you can see that that is all
stored under the page parameter.
2:28
The page parameter has this other
parameters object nested under it.
2:33
The parameters object that's nested
under page itself has title, body, and
2:37
slug parameters.
2:42
The object in params acts a lot
like a hash with keys and
2:44
values you can access, but
it's actually not a hash.
2:47
Let's update our controller to
show you the class of params.
2:51
So, we'll change this to params.class.
2:56
Reload and confirm our form resubmission.
2:59
And you can see it's actually an action
controller parameters object.
3:03
So, why doesn't rails just use a hash?
3:07
Among other things, an action controller
parameters object has a convenient require
3:10
method that allows you to specify that
certain parameters have to be present,
3:14
as well as a permit method that allows you
to specify which parameters are allowed.
3:18
Let me show you how this
works in the rails console.
3:23
So, we'll go back to our terminal,
quit out of our server if it's running.
3:25
And run bin/rails c to launch the console.
3:29
First, I'll manually create my own
action controller parameters object and
3:35
assign it to the program's variable.
3:39
So, we'll set up our variable,
and then call ActionController::
3:42
Parameters.new.
3:49
I'll spread this over several
lines since that's pretty long.
3:54
So first, I'll throw a parameter in
3:58
there to represent all the stuff
that Rails uses internally.
4:00
I'll put a comma there, which will
allow me to go down to another line.
4:07
And we'll nest a bunch of other
parameters under the page parameter.
4:11
So, we'll say page.
4:15
And then we'll put a hash here, which
will give us a nested parameter object,
4:17
once this parameter object is created.
4:22
Within that hash, we'll set up a title
parameter, with value of title.
4:25
Body of body, and
4:31
a slug of slug.
4:35
Let's also throw in a fake
malicious parameter in there.
4:41
Remember, we had an attacker try to
add an is_admin attribute before.
4:45
We'll try adding that here, as well.
4:50
We'll end our page parameter, and
4:55
we'll end the entire
ActionController::Parameters.new call.
4:57
The Rails console shows
the resulting object.
5:02
Notice this permit that should
be done on the end here.
5:04
If you try to use an action
controller parameters object where
5:08
permitted is false to set an object's
attributes, you'll get an error.
5:11
So, let's try creating a new page object.
5:15
We'll called Page.new, and
we'll pass at this params object, and
5:19
remember, permitted is
false on this object.
5:23
We get an error.
5:26
Scroll up to show you,
ActiveModel::Forbidden
5:28
AttributesError,
just like we saw in our browser earlier.
5:31
That's the strong parameters
protection kicking in.
5:34
Before we can use these parameters
to update model objects,
5:38
we're going to need to indicate which
parameters are required to be present.
5:41
So, that requests without
them can be rejected.
5:45
We'll also need to indicate which
parameters are permitted, so
5:48
that other possibly malicious
parameters can be discarded.
5:51
For example, that is admin attribute.
5:55
Let's start by indicating a parameter
that's required using the required method.
5:58
All the parameters we
actually want title, body and
6:02
slug are nested in another parameter
object under the page parameter.
6:05
We wouldn't want to accept any
requests that didn't include page.
6:11
So, we'll call require with a symbol,
page.
6:15
The require method returns the value
of the parameter being required, which,
6:20
in this case, is another
ActionController::Parameters object.
6:24
Notice that permitted is
also false on this object.
6:28
That's because we didn't get this
object by calling the permit method, so
6:32
we still can't use it to
create a model object.
6:36
Now, let's try calling permit on this
new parameters object to indicate which
6:39
parameters are permitted, and to discard
that unwanted is_admin parameter.
6:43
We'll chain the methods together.
6:48
Calling permit directly on
the return value of require.
6:49
We'll permit just the title parameter for
now.
6:53
So, we'll pass a symbol of
title to the permit method.
6:56
We got back a new parameters object.
7:00
It contains only the title parameter,
since that was the only one we permitted.
7:02
And notice that the permitted
attribute is now set to true.
7:06
That means we can use this parameters
object to create a new page object.
7:10
Let's try that out.
7:15
We'll take the same command and pass
the result to a call to Page.new.
7:15
So, Page.new here at the beginning.
7:21
And we'll wrap all this in parentheses.
7:24
So, we take our params object.
7:27
We require the page parameter, we permit
the title parameter within that object,
7:30
and then we pass the whole
thing to Page.new.
7:34
And instead of an error,
we'll get a new page object back.
7:38
Only the title attribute has
been set on the page though.
7:42
So now, let's permit the other parameters.
7:45
Permit takes any number of arguments,
each representing a parameter you want to
7:48
permit, so
we can add on a body parameter.
7:51
And the body attribute of our
page objects will be set.
7:56
Finally, we can add on the slug parameter.
8:00
And the slug attribute
will be set as well,
8:05
there's also no sign of that
malicious is_admin parameter.
8:07
We've successfully used parameters
to build a page object.
8:11
Of course,
these are just fake user parameters.
8:14
So now, let's do the same thing for
the parameters from our form.
8:17
Exit the console,
we start our rail server,
8:21
since we're going to
need that in a moment.
8:24
Okay, and here in the create method,
8:27
which is going to process the submission
from our form for a new page.
8:28
We're going to set up a page_params
variable to hold our parameters object,
8:34
and the parameters coming back
from the form will be in params.
8:40
So, within the page parameter
of that parameters objects,
8:44
the other parameters we need are nested.
8:48
So, we're gonna call,
we're gonna require the page parameter.
8:51
And that will get us a parameter
object back, then on that object,
8:57
we're going to call permit.
9:00
And we're going to permit the title,
body and slug parameters.
9:03
And the resulting parameters objects will
get stored in the page_params variable.
9:10
Now, we'll take that parameters objects,
and
9:15
can create a new page object based on it.
9:16
So, we'll call Page.new,
pass page_params to it,
9:19
and that should get us a new page
object with its title, body and slug and
9:26
attributes set.
9:30
We'll assign the result to
the page instance variable.
9:31
Lastly, we want to save that
page record to our database.
9:35
So, we'll take the page object and
we'll call save on it.
9:38
So, let's hit save in our editor, go back
to our browser, and resubmit our form.
9:42
And there's no error this time,
actually nothing at all seems to happen.
9:47
But if we go back to our
list of all pages and
9:54
refresh the browser,
there is our new page.
9:57
We don't want the browser to just sit
there showing the form after we've
10:00
submitted them.
10:03
So, the final thing we'll do is to
tell the browser to load the view for
10:04
the new page once it's saved.
10:07
To do this, we'll add a call
to the redirect_to method.
10:10
We'll pass redirect_to
our new page object.
10:16
The redirect_to method tells Rails to
send a redirect response to the browser.
10:19
Redirects caused the browser
to request a new URL.
10:24
In this case, since we're passing
a page object to redirect_to,
10:27
the browser will be told to request
the URL of that page object.
10:31
So, we save this,
go back to our browser, and
10:36
bring up the new page form and submit it.
10:39
Once the record is saved,
we will be redirected to view that page.
10:46
We've learned a lot about Rails'
strong parameters library in this video.
10:50
If you'd like to know more,
be sure to check out the teacher's notes.
10:54
Impressive.
10:58
You had to set up two routes for this
stage, one for get requests for a form,
10:59
and another for
post requests to submit the form data.
11:03
You set up a controller action and
a view to display the form, and
11:06
another controller action to create a new
model object based on the form data.
11:10
The tough part is over.
11:15
In the next stage, we're going to set up
a form to let users modify existing pages.
11:16
We'll be following much the same
pattern that we did in this stage.
11:21
We'll present the form, and
then accept form submissions.
11:24
You need to sign up for Treehouse in order to download course files.
Sign upYou need to sign up for Treehouse in order to set up Workspace
Sign up