Rails Strong参数：允许在控制器中使用参数

Question

I have a User model which as an internal field say some_internal_id . I do not want external users to be able to enter it (via mass assignment). Ideally I should not permit it in the user_params function.

Ideal Situation:

Create method assigns the internal param, something like this:

 def create
    user_params[:some_internal_id] = rand(100)
    @user = User.new(user_params)
    @user.save
 end

 # Never trust parameters from the scary internet, only allow the white list through.
 # No need to permit some_internal_id param here
def user_params
  params.require(:user).permit(:name, :age)
end

The code above throws an Unpermitted parameter: some_internal_id error.

The following works but looks a bit hacky

The following solves what I am trying to do, but doesn't look a very clean approach:

def create
    @user = User.new(user_params)
    @user.save
 end

# Never trust parameters from the scary internet, only allow the white list through.
def user_params
  params[:user][:some_internal_id] = rand(100)
  params.require(:user).permit(:some_internal_id, :name, :age)
end

Is there a better approach where I can permit and set a param in create method - close to where the object is being saved ?

Answer 1

Just assign your internal parameter manually, right before save:

def create
   @user = User.new(user_params)
   @user.some_internal_id = rand(100)
   @user.save
end

To write it as a 1 call, you can use User.create block syntax:

@user = User.create(user_params) do |user| # first, assign these attributes
  user.some_internal_id = rand(100)        # then yield user to the block
end                                        # and, finally, save

Answer 2

我通常在强参数permit 之后将其他属性合并到参数中：

@user = User.new user_params.merge(some_internal_id: rand(100))