How is this:
def model1_params
params.require(:model1).permit(:key1, :key2)
end
more secure that this?
def model1_params
params.permit(:key1, :key2)
end
Why is require(:model1)
required?
It's not really more secure, it's just a way of organizing params into objects.
if you say params.require(:model).permit(:a)
that's expecting the params to come in as { model: { a: <val> } }
. This nested-hash style namespacing is the default for generated scaffolds, but routes work perfectly fine without it (I haven't use params.require
in a while).
The point of secure params is to prevent you from doing something like model.update(params)
which is insecure because then clients can update any attibutes they choose, such as id. The <model>_params
methods used to implement secure params are basically filter functions that return a whitelisted version of the params
hash.
So you don't need to use params.require
or params.permit
, you can write it by scratch if you want:
def whitelisted_params
params.select { |key| key.in? [:my, :whitelisted, :params] }
end
params.permit(:key1, :key2)
is not secure. It is because you are directly permitting the params without associating it with an object.
On the other hand, params.require(:model1).permit(:key1, :key2)
is more secure because you are binding keys with the object.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.