By Hint.io
In our experience with UpgradeRails, the migration from protected_attributes to strong_parameters can leave more questions than answers. It can be difficult to determine what data is originating from within the app and what is coming from the internet.
Moderate Parameters is a set of tools providing logging of data sources in the controller by extending ActionController::Parameters functionality.
Add this line to your application's Gemfile:
gem 'moderate_parameters'And then execute:
$ bundle
Or install it yourself as:
$ gem install moderate_parameters
Then add the initializer by running:
$ bundle exec rails g moderate_parameters:install
This will add an initializer to your rails app for turning on/off functionality.
Given a form at /people/new that submits data to the PeopleController#create action like so:
{ person: { name: 'Kyle', age: '26', height: '180' } }With a model that looks like:
class Person < ActiveRecord::Base
attr_accessible :name, :age, :height
. . .
endAnd a controller looks like this:
class PeopleController < ActionController::Base
def create
Person.create(params[:person])
end
. . .
endWe can add moderate_parameters by following the strong_parameters implementation method with a couple slight changes.
Add a private params method for the controller calling moderate (with controller_name and action_name as the first two args) instead of permit:
class PeopleController < ActionController::Base
def create
Person.create(person_params) # Was Person.create(params[:person])
end
. . .
private
def person_params
params.require(:person).moderate(controller_name, action_name, :name)
end
endThis will cause the person_params to flow the same way they did before (getting passed to the model without interruption),
but the params that are not included in the argument of moderate will be logged to /log/moderate_params.log
Meaning that, after submitting the aforementioned data, our moderate_parameters.log will look like so:
people#create Top Level is missing: age
people#create Top Level is missing: height
We can fix this by adding age and height to person_params like so:
class PeopleController < ActionController::Base
def create
Person.create(person_params)
end
. . .
private
def person_params
params.require(:person).moderate(controller_name, action_name, :name, :age, :height)
end
endWe can then hit submit data from the form at /people/new and see that no new lines are added to the moderate_parameters.log file.
This means that we can remove moderate_parameters and move to using permit as the final migration step of strong_parameters:
class PeopleController < ActionController::Base
def create
Person.create(person_params)
end
. . .
private
def person_params
params.require(:person).permit(:name, :age, :height)
end
endIt is only AFTER this final step of the strong_parameters migration has been completed that you can safely remove the protected_attributes line in the model:
class Person < ActiveRecord::Base
# attr_accessible :name, :age, :height
. . .
endBug reports and pull requests are welcome on GitHub at https://github.com/hintmedia/moderate_parameters. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
The gem is available as open source under the terms of the MIT License.
Everyone interacting in the moderate_parameters project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.