This course will be retired on June 1, 2025.
Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Start a free Courses trial
to watch this video
We've set up a route so that form submissions get sent to the PagesController's create method. But that method doesn't exist yet. Let's set it up now. Within the create method, we're going to need to specify which parameters are safe to use to create the new Page object.
Important Update
This video recommends calling render text:
, which works fine in Rails 5.0 (the recommended version to use when following along with this course). But if you happen to have generated your app using Rails 5.1 or later, render text:
no longer works.
In both Rails 5.0 and 5.1, you can replace render text:
with render plain:
, and it will work correctly.
Strong Parameters
Suppose you have a parameters object with a bunch of parameters you don't want. All the parameters you do want are nested under the page
parameter:
2.3.0 :007 > params
=> <ActionController::Parameters {"stuff"=>"%$\#@", "page"=>{"title"=>"title", "body"=>"body", "slug"=>"slug", "is_admin"=>"true"}} permitted: false>
Before we can use these parameters to create a model object, we're going to need to indicate which parameters are required to be present, so that requests without them can be rejected. We'll also need to indicate which parameters are permitted, so that other, possibly malicious parameters can be discarded.
The require
method indicates a parameter that's required. So, we'll call require with the symbol :page.
2.3.0 :008 > params.require(:page)
=> <ActionController::Parameters {"title"=>"title", "body"=>"body", "slug"=>"slug", "is_admin"=>"true"} permitted: false>
The require method returns the value of the parameter being required, which in this case is another ActionController::Parameters object.
The permit
method takes the names of one or more parameters that are permitted. Let's try calling permit
on this parameters object, to indicate which parameters are permitted (and to discard that unwanted is_admin parameter). We'll chain the methods together, calling permit
directly on the return value of require
.
2.3.0 :009 > params.require(:page).permit(:title)
=> <ActionController::Parameters {"title"=>"title"} permitted: true>
We got back a new parameters object. It contains only the title parameter, since that was the only one we permitted. And notice that the permitted
attribute of the object is true this time. That means we can use it to create a new model object.
Let's try that out. We'll take the same command, and pass the result to a call to Page.new...
2.3.0 :010 > Page.new(params.require(:page).permit(:title))
=> #<Page id: nil, title: "title", body: nil, slug: nil, created_at: nil, updated_at: nil>
Instead of an error, we get a new Page
object back. And because we permitted the title
parameter, the Page
object's title
attribute is set.
Related Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign upRelated Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign up
You need to sign up for Treehouse in order to download course files.
Sign upYou need to sign up for Treehouse in order to set up Workspace
Sign up