Why “permit” in Strong Parameters?
Question
How is this:
def model1_params
params.require(:model1).permit(:key1, :key2)
end
more secure that this?
def model1_params
params.permit(:key1, :key2)
end
Why is require(:model1) required?
2 answers
solution1
2 ACCPTED 2017-01-17 06:50:17
It's not really more secure, it's just a way of organizing params into objects.
if you say params.require(:model).permit(:a) that's expecting the params to come in as { model: { a: <val> } } . This nested-hash style namespacing is the default for generated scaffolds, but routes work perfectly fine without it (I haven't use params.require in a while).
The point of secure params is to prevent you from doing something like model.update(params) which is insecure because then clients can update any attibutes they choose, such as id. The <model>_params methods used to implement secure params are basically filter functions that return a whitelisted version of the params hash.
So you don't need to use params.require or params.permit , you can write it by scratch if you want:
def whitelisted_params
params.select { |key| key.in? [:my, :whitelisted, :params] }
end
solution2
0 2017-01-17 07:04:53
params.permit(:key1, :key2) is not secure. It is because you are directly permitting the params without associating it with an object.
On the other hand, params.require(:model1).permit(:key1, :key2) is more secure because you are binding keys with the object.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.