Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
class PostsController < ActionController::Base
def create
Post.create(post_params)
end
def update
Post.find(params[:id]).update_attributes!(post_params)
end
private
def post_params
params[:post].slice(:title, :content)
end
end
@JoshCheek
Copy link

JoshCheek commented Apr 7, 2012

I'd love to see validations also move out of the model.

@sobrinho
Copy link

sobrinho commented Apr 7, 2012

@JoshCheek you can do that using active model ;)

@keithtom
Copy link

keithtom commented Dec 11, 2012

Sweet pattern, and I like the simplicity. One thing though:

If someone forgets, or is unaware of the pattern, then you can potentially expose unwanted mass-assignment.

Perhaps, we can combine the strategies so that you can restrict assignment of certain attributes at the model layer, and then have this pattern act more as a 'mark as safe to mass assign'. This seems like it allows controller endpoints to dictate what inputs are acceptable, while letting the model dictate what attributes require additional checks.

As far as actual implementation, it might look more like

@resource.allow_assignment(:password, :password_confirmation)
@resource.update_attributes(params[:resource])

This of course doesn't have to be in a controller. It is really just the idea of forcing developers to explicitly say, "I really want to mass-assign these attributes here".

Thoughts?

@keithtom
Copy link

keithtom commented Dec 11, 2012

Ah just read the strong_params gem. nevermind...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment