#strong params

Hackers keep getting smarter, with more powerful and tricky machines to back them up! It’s important to stay on top of your application site security. 

One of the ways we do this in Rails is to use Strong Parameters. What strong params do is to ONLY permit certain parameters to be included in a params hash (particularly when creating or updating a database record). This helps prevent attacks that try to include database manipulation such as deleting records not associated with the one the hacker is creating, OR for the hacker to try giving themselves additional permissions in your site (such as setting themselves up as an admin user).

It is convention to call upon a method that defines what these strong parameters are within the arguments passed to new and update.

user = User.new(user_params) ... def user_params     params.require(:user).permit(:name,                                                                                                                 :address,                                                                                                             :phone_number,                                                                                                 :password_digest)

end

http://www.sitepoint.com/complex-rails-forms-with-nested-attributes/

http://stackoverflow.com/a/21983998/1964078

I'd like to tell you a (cheesy, overly dramatic) story:

One dark and stormy night, you're given a ticket that requires you to rename some data columns and rearrange a few form inputs. In your arrogance, you confidently determine this will take you no time at all. Thunder flashes. This is totally not foreshadowing.

You successfully migrate the database. You successfully rearrange the form inputs. All your tests pass. You are feeling pretty self sufficient, like a god/dess among junior developers. You decide, since you are a conscientious team member, to manually fill in the form and watch the magic happen.

Only nothing happens. The form cheerfully proclaims it's success, but your data has clearly not been saved. You vainly try to find the problem for an hour, but eventually, BAMFness severely deflated, have to ask for help. This is when your boss/mentor discovers within minutes that you've forgotten to update the permitted parameters in your controller.

As you may have guessed, it's my own hubris I'm describing here. But! I have learned something that can help you avoid this terrible tale of woe.

Add this line to your config/environments/test.rb and config/environments/development.rb:

# Raise an error when sending unpermitted parameters config.action_controller.action_on_unpermitted_parameters = :raise

This lovely little incantation (which you can read more about on the strong parameters repo) will throw an exception when you send unpermitted keys, rather than silently swallowing them. So, instead of this:

You'll get this:

Never thought you'd be happy to see that page, huh?