Tuesday, July 16, 2013

"Strong parameters" is for controlling mass assignment, not for validation.

Since rails4, controller has new feature called "strong parameters".

rails/strong_parameters

"strong parameters" is an alternative for controlling mass assignment. The original ones are known as attr_accessible and attr_protected on ActiveRecord/ActiveModel until rails3. But, because of "Mass Assingment Vulnerability(CVE-2012-2055)" in last year, these features are considered they should be on controller, should not be on ActiveRecord/ActiveModel. So that "strong parameters" begins.

And, the most important thing is, -"strong parameters" is JUST for controlling mass assignment, not for validation-. ActiveRecord/ActiveModel still have their own (and well known) validation features. that's natural because ActiveRecord/ActiveModel is not only used from Web (controllers) but also from non-Web (batches).

No comments:

Post a Comment