This course will be retired on June 1, 2025.

Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

Rails Routes and Resources

Well done!

You have completed Rails Routes and Resources!

Sign up for Treehouse Back to Library
Preview
Video Player
00:00
00:00
00:00
  1. 2x 2x
  2. 1.75x 1.75x
  3. 1.5x 1.5x
  4. 1.25x 1.25x
  5. 1.1x 1.1x
  6. 1x 1x
  7. 0.75x 0.75x
  8. 0.5x 0.5x
Use Up/Down Arrow keys to increase or decrease volume.

Controller Action to Create Pages

11:27 with Jay McGavren

We've set up a route so that form submissions get sent to the PagesController's create method. But that method doesn't exist yet. Let's set it up now. Within the create method, we're going to need to specify which parameters are safe to use to create the new Page object.

We've set up a route, so that form submissions get sent to 0:00
the PagesController's create method, but that method doesn't exist yet. 0:03
Let's set it up now. 0:08
We'll go into the app controllers folder, open up the pages controller, 0:09
and add a new create method down here at the bottom. 0:14
Within the method, our form parameters will be available within the params 0:21
object, just like the URL parameters were before. 0:25
Let's look at the contents of params. 0:29
We'll render our responses as plain text, so 0:31
we don't have to create an ERB template. 0:33
So, we'll call render, and we'll give it a keyword argument of text. 0:36
Then we'll take the params objects and call a method name to_json on it 0:42
to convert it to JavaScript object notation format. 0:46
That will allow us to see the entire object easily. 0:50
Save that, and resubmit the form, and you'll see Json similar to this. 0:53
Let's try to use these parameters to create a new page object. 0:59
We'll assign our object to the page instance variable. 1:03
To create the object, we'll call Page.new, and pass the parameters as an argument. 1:07
Save that and go back to our browser. 1:15
But if we resubmit the form, we'll see an ActiveModel::ForbiddenAttributesError. 1:18
The problem is that we tried to use parameters to create a new model object 1:23
without specifying which parameters are allowed for use. 1:26
Remember how we showed you a scenario where a malicious user added the parameter 1:30
to a POST request turning himself into a site admin and causing all sorts of havoc? 1:34
That's what's going on here, 1:39
rails is trying to protect your app from unwanted parameters. 1:40
That's why rails uses the strong parameters library. 1:44
Strong parameters helps keep your apps from hacked, by requiring you to specify 1:47
which parameters are allowed, before you can use them to create a model object. 1:51
Let's look at the contents of params again, and see which ones we should allow. 1:56
We'll delete this line that creates a new page from our controller. 2:00
And then we'll resubmit our form data to see the parameters. 2:03
There's a bunch of stuff, like the authenticity token and 2:09
the controller parameters that we don't really need. 2:13
Rails just uses those internally. 2:15
So, we'll need to discard those. 2:18
It looks like everything we actually need to build a page object is nested here in 2:20
this group of parameters, and if I scroll off to the right here, 2:24
you can see that that is all stored under the page parameter. 2:28
The page parameter has this other parameters object nested under it. 2:33
The parameters object that's nested under page itself has title, body, and 2:37
slug parameters. 2:42
The object in params acts a lot like a hash with keys and 2:44
values you can access, but it's actually not a hash. 2:47
Let's update our controller to show you the class of params. 2:51
So, we'll change this to params.class. 2:56
Reload and confirm our form resubmission. 2:59
And you can see it's actually an action controller parameters object. 3:03
So, why doesn't rails just use a hash? 3:07
Among other things, an action controller parameters object has a convenient require 3:10
method that allows you to specify that certain parameters have to be present, 3:14
as well as a permit method that allows you to specify which parameters are allowed. 3:18
Let me show you how this works in the rails console. 3:23
So, we'll go back to our terminal, quit out of our server if it's running. 3:25
And run bin/rails c to launch the console. 3:29
First, I'll manually create my own action controller parameters object and 3:35
assign it to the program's variable. 3:39
So, we'll set up our variable, and then call ActionController:: 3:42
Parameters.new. 3:49
I'll spread this over several lines since that's pretty long. 3:54
So first, I'll throw a parameter in 3:58
there to represent all the stuff that Rails uses internally. 4:00
I'll put a comma there, which will allow me to go down to another line. 4:07
And we'll nest a bunch of other parameters under the page parameter. 4:11
So, we'll say page. 4:15
And then we'll put a hash here, which will give us a nested parameter object, 4:17
once this parameter object is created. 4:22
Within that hash, we'll set up a title parameter, with value of title. 4:25
Body of body, and 4:31
a slug of slug. 4:35
Let's also throw in a fake malicious parameter in there. 4:41
Remember, we had an attacker try to add an is_admin attribute before. 4:45
We'll try adding that here, as well. 4:50
We'll end our page parameter, and 4:55
we'll end the entire ActionController::Parameters.new call. 4:57
The Rails console shows the resulting object. 5:02
Notice this permit that should be done on the end here. 5:04
If you try to use an action controller parameters object where 5:08
permitted is false to set an object's attributes, you'll get an error. 5:11
So, let's try creating a new page object. 5:15
We'll called Page.new, and we'll pass at this params object, and 5:19
remember, permitted is false on this object. 5:23
We get an error. 5:26
Scroll up to show you, ActiveModel::Forbidden 5:28
AttributesError, just like we saw in our browser earlier. 5:31
That's the strong parameters protection kicking in. 5:34
Before we can use these parameters to update model objects, 5:38
we're going to need to indicate which parameters are required to be present. 5:41
So, that requests without them can be rejected. 5:45
We'll also need to indicate which parameters are permitted, so 5:48
that other possibly malicious parameters can be discarded. 5:51
For example, that is admin attribute. 5:55
Let's start by indicating a parameter that's required using the required method. 5:58
All the parameters we actually want title, body and 6:02
slug are nested in another parameter object under the page parameter. 6:05
We wouldn't want to accept any requests that didn't include page. 6:11
So, we'll call require with a symbol, page. 6:15
The require method returns the value of the parameter being required, which, 6:20
in this case, is another ActionController::Parameters object. 6:24
Notice that permitted is also false on this object. 6:28
That's because we didn't get this object by calling the permit method, so 6:32
we still can't use it to create a model object. 6:36
Now, let's try calling permit on this new parameters object to indicate which 6:39
parameters are permitted, and to discard that unwanted is_admin parameter. 6:43
We'll chain the methods together. 6:48
Calling permit directly on the return value of require. 6:49
We'll permit just the title parameter for now. 6:53
So, we'll pass a symbol of title to the permit method. 6:56
We got back a new parameters object. 7:00
It contains only the title parameter, since that was the only one we permitted. 7:02
And notice that the permitted attribute is now set to true. 7:06
That means we can use this parameters object to create a new page object. 7:10
Let's try that out. 7:15
We'll take the same command and pass the result to a call to Page.new. 7:15
So, Page.new here at the beginning. 7:21
And we'll wrap all this in parentheses. 7:24
So, we take our params object. 7:27
We require the page parameter, we permit the title parameter within that object, 7:30
and then we pass the whole thing to Page.new. 7:34
And instead of an error, we'll get a new page object back. 7:38
Only the title attribute has been set on the page though. 7:42
So now, let's permit the other parameters. 7:45
Permit takes any number of arguments, each representing a parameter you want to 7:48
permit, so we can add on a body parameter. 7:51
And the body attribute of our page objects will be set. 7:56
Finally, we can add on the slug parameter. 8:00
And the slug attribute will be set as well, 8:05
there's also no sign of that malicious is_admin parameter. 8:07
We've successfully used parameters to build a page object. 8:11
Of course, these are just fake user parameters. 8:14
So now, let's do the same thing for the parameters from our form. 8:17
Exit the console, we start our rail server, 8:21
since we're going to need that in a moment. 8:24
Okay, and here in the create method, 8:27
which is going to process the submission from our form for a new page. 8:28
We're going to set up a page_params variable to hold our parameters object, 8:34
and the parameters coming back from the form will be in params. 8:40
So, within the page parameter of that parameters objects, 8:44
the other parameters we need are nested. 8:48
So, we're gonna call, we're gonna require the page parameter. 8:51
And that will get us a parameter object back, then on that object, 8:57
we're going to call permit. 9:00
And we're going to permit the title, body and slug parameters. 9:03
And the resulting parameters objects will get stored in the page_params variable. 9:10
Now, we'll take that parameters objects, and 9:15
can create a new page object based on it. 9:16
So, we'll call Page.new, pass page_params to it, 9:19
and that should get us a new page object with its title, body and slug and 9:26
attributes set. 9:30
We'll assign the result to the page instance variable. 9:31
Lastly, we want to save that page record to our database. 9:35
So, we'll take the page object and we'll call save on it. 9:38
So, let's hit save in our editor, go back to our browser, and resubmit our form. 9:42
And there's no error this time, actually nothing at all seems to happen. 9:47
But if we go back to our list of all pages and 9:54
refresh the browser, there is our new page. 9:57
We don't want the browser to just sit there showing the form after we've 10:00
submitted them. 10:03
So, the final thing we'll do is to tell the browser to load the view for 10:04
the new page once it's saved. 10:07
To do this, we'll add a call to the redirect_to method. 10:10
We'll pass redirect_to our new page object. 10:16
The redirect_to method tells Rails to send a redirect response to the browser. 10:19
Redirects caused the browser to request a new URL. 10:24
In this case, since we're passing a page object to redirect_to, 10:27
the browser will be told to request the URL of that page object. 10:31
So, we save this, go back to our browser, and 10:36
bring up the new page form and submit it. 10:39
Once the record is saved, we will be redirected to view that page. 10:46
We've learned a lot about Rails' strong parameters library in this video. 10:50
If you'd like to know more, be sure to check out the teacher's notes. 10:54
Impressive. 10:58
You had to set up two routes for this stage, one for get requests for a form, 10:59
and another for post requests to submit the form data. 11:03
You set up a controller action and a view to display the form, and 11:06
another controller action to create a new model object based on the form data. 11:10
The tough part is over. 11:15
In the next stage, we're going to set up a form to let users modify existing pages. 11:16
We'll be following much the same pattern that we did in this stage. 11:21
We'll present the form, and then accept form submissions. 11:24