Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
Rails is mistakenly trying to "protect" you from malicious parameters. We need to fix that.
You can read more about Rails Strong Parameters here.
Related Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign upRelated Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign up
So when we fill out our new
body field in the post form and
0:00
submitted the body doesn't get saved.
0:03
If we look at our log will
see a clue as to the problem.
0:06
Here's the request where
we submitted the form, and
0:09
in the middle we see
unpermitted parameter body.
0:13
When you click the button
to submit the HTML form,
0:17
your browser sends an HTTP POST
request to the server.
0:20
Remember how we covered the HTTP GET
request earlier, which is used
0:24
to get web pages, an HTTP POST request
is used to post data on the server.
0:30
Think of it as leaving the data there for
others to find later.
0:35
By the way, be careful not to confuse
the term POST request with our post model.
0:39
The fields in your form are treated
as parameters in the POST request.
0:44
You can see a list of
them in the rails log.
0:48
You'll see one for the title field,
and another for the body field.
0:50
But there's that message right below the
parameters, unpermitted parameter body.
0:56
It looks like rails rejected
the body field, but why?
1:02
Suppose we have a user model
representing a user of our site.
1:06
We want most of our users to
be treated as regular users.
1:09
All they can do is create and
edit their own posts, but
1:13
some users should be
treated as administrators.
1:16
They help run the entire site.
1:19
An administrator can edit other people's
posts, and maybe even delete other users.
1:21
The user model has
an attribute called is_admin.
1:26
Any user for which is admin is set
true is treated like an admin.
1:29
Now you don't want just anybody to be
able to set themselves up as an admin.
1:34
So you remove the user as an administrator
checkbox from the form for
1:38
creating a user, so
that users can't make themselves admins.
1:42
You'll set admins up via
the rails console instead.
1:45
But in the battle days of web development,
1:48
malicious users could just add
their own parameters to requests.
1:51
They could add is admin field and
said It's true.
1:55
The server would simply accept the
parameter and update the database record.
1:58
Suddenly their user would be treated as an
admin and could cause all sorts of havoc.
2:02
That's why Rails has a feature
called strong parameters.
2:07
In every controller, you specify a list of
parameters that controller will accept.
2:11
In our hypothetical scenario,
name would be a permitted parameter for
2:15
the user's controller,
but isAdmin would not.
2:19
If someone tried to add an isAdmin
parameter to a POST request,
2:22
it would get rejected [SOUND], and
everyone could breathe a sigh of relief.
2:26
So the problem here is that for
a post controller,
2:30
body isn't a permitted parameter.
2:32
Rail's was mistakenly trying to
protect us from the body parameter
2:35
as if it was malicious.
2:38
We need to add body to the list
of permitted parameters, so
2:40
that it can get through.
2:43
We can see here in the log that
the POST request is being processed
2:45
by the create method of
the post controller.
2:48
Let's open that file at app,
controllers, host controller.rb.
2:52
If we scroll down and
look at the create method,
2:58
we can see that it's calling another
method named post params, and
3:01
using the return value to
create a new post object.
3:05
The post params method is defined down
here at the bottom of the controller.
3:09
Here at the end of the method you can
see the list of permitted parameters.
3:14
There's only one right now,
the title parameter.
3:18
So, we'll add another one for
the body parameter.
3:21
Let's save our work.
3:25
And now if we fill out
the form to create a new post,
3:27
you'll see that the body is accepted.
3:33
The same is true for
updating an existing post.
3:37
If we provide a body and submit the form,
you'll see that it gets updated.
3:40
We've got everything working.
3:47
You need to sign up for Treehouse in order to download course files.
Sign upYou need to sign up for Treehouse in order to set up Workspace
Sign up