Tuesday, July 16, 2013

"Strong parameters" is for controlling mass assignment, not for validation.

Since rails4, controller has new feature called "strong parameters".


"strong parameters" is an alternative for controlling mass assignment. The original ones are known as attr_accessible and attr_protected on ActiveRecord/ActiveModel until rails3. But, because of "Mass Assingment Vulnerability(CVE-2012-2055)" in last year, these features are considered they should be on controller, should not be on ActiveRecord/ActiveModel. So that "strong parameters" begins.

And, the most important thing is, -"strong parameters" is JUST for controlling mass assignment, not for validation-. ActiveRecord/ActiveModel still have their own (and well known) validation features. that's natural because ActiveRecord/ActiveModel is not only used from Web (controllers) but also from non-Web (batches).

No comments:

Post a Comment