-
Star
(246)
You must be signed in to star a gist -
Fork
(45)
You must be signed in to fork a gist
-
-
Save dhh/1975644 to your computer and use it in GitHub Desktop.
class PostsController < ActionController::Base | |
def create | |
Post.create(post_params) | |
end | |
def update | |
Post.find(params[:id]).update_attributes!(post_params) | |
end | |
private | |
def post_params | |
params[:post].slice(:title, :content) | |
end | |
end |
Without the introduction of a deep slice implementation, this approach won't work well with nested attributes/forms. The model will still be the goto spot. A deep slice method in all its recursive glory will be a cpu hog as well :/
I'm not sure if slice supports it, but there are ways to support nested attributes using this technique
params[:post].slice(:title, :content, friends: [ :name, { family: [ :name ] }])
I'd love to see validations also move out of the model.
@JoshCheek you can do that using active model ;)
Sweet pattern, and I like the simplicity. One thing though:
If someone forgets, or is unaware of the pattern, then you can potentially expose unwanted mass-assignment.
Perhaps, we can combine the strategies so that you can restrict assignment of certain attributes at the model layer, and then have this pattern act more as a 'mark as safe to mass assign'. This seems like it allows controller endpoints to dictate what inputs are acceptable, while letting the model dictate what attributes require additional checks.
As far as actual implementation, it might look more like
@resource.allow_assignment(:password, :password_confirmation)
@resource.update_attributes(params[:resource])
This of course doesn't have to be in a controller. It is really just the idea of forcing developers to explicitly say, "I really want to mass-assign these attributes here".
Thoughts?
Ah just read the strong_params gem. nevermind...
this is great for a simple case, but sometimes slice isn't enough, e.g. nested attributes, and also date/time fields that come in like
"posted_on(1i)"=>"2010", "posted_on(2i)"=>"3", "posted_on(3i)"=>"3"
What about a way to have
form_for
send to the controller which fields actually exist in the form (how to do this in a tamper-proof fashion is a good question, an encrypted serialized hash of the legitimate keys would be needed) - any params that are not actually in theform_for
block would be ignored. Of course there would need to be a way to whitelist other fields in case they were legitimately added client-side via JS.That way you wouldn't have the model concerned about current user roles and authz, or even the controller. If a field exists in the form, then it seems safe to presume the corresponding param is meant to be changed via that form instance, and v/v.