Rails Strong Params
Taking control of your back end
When receiving input from outside of your app, there’s a risk of inadvertently giving users access to change sensitive information that they shouldn’t be changing. For example, a user should not be able to change their account balance (ex. They could change their actual account balance of $20 to display a $20 million balance, without depositing any money). However, you would want a user to enter transaction data that will adjust account balance based on the account id.
Rails provides programmers the ability to restrict what information users have access to in the Rails back end. This is done by specifically identifying what attributes are allowed in params. Params is an abbreviation of parameters and it’s a hash that contains the data being passed in to the controller.
The convention is to define the params method as a private method at the bottom of the controller file. Name the params method using the name of the controller with underscore params. You call require on params and pass in the name of the controller. Then you call permit on that and pass in only the attributes you want to be permissible.
This method restricts the user to selecting which of their accounts they want to transact (ex. a savings or checking account), it allows the user to pass in what type of transaction they are conducting (ex. deposit or withdraw), and it allows the user to enter the transaction amount.
Now that the params method is in place, incoming data will be checked before it’s allowed through. If it passes the check, then it will have access to the appropriate action. For example, to create a transaction, the strict params would be used in the create action.
The user would enter their transaction information in a digital form. If the user’s checking account ID was 7 and they were withdrawing $100, the params hash passed would be:
For more detailed information on using strong params, consult the documentation here.
And then go celebrate your new found control with Janet here.
