DEV Community

mixbo
mixbo

Posted on

Implementation logic of Rails Params Perimited

Alt Text

In Rails Controller#action, get the parameters passed by the user to the server, and store in the DB there will be a special operation params.require(:product).permit(:name,:desc)

Why need to call the permit method

Imagine a scenario where you want to develop an api interface for receiving json data returned by a third party and creating it in a database.

params= {user:{nickname: 'mixbo', email: 'lb563@foxmail.com', admin:true}}

class UsersController < ApplicationController
  def   create
    @user = User.create params[:user]
  end
end
Enter fullscreen mode Exit fullscreen mode

As you can see from the above code, the params sent from the third-party interface includes a field admin This is a very dangerous operation.

And permit is to mark some allowed fields and check whether the permitted flag is included before saving to the database.

Implementation of Params#permit

The specific implementation is placed in the ActiveSupport::StrongParameter module

module ActionController
  class Parameters
    def permit(*filters)
      params = self.class.new
      #..bala bala
      params.permit!
    end

    def permit!
      each_pair do |key, value|
        Array.wrap(value).each do |v|
          v.permit! if v.respond_to? :permit!
        end
      end
      @permitted = true
      self
    end

    def permitted?
      @permitted
    end
  end
end
Enter fullscreen mode Exit fullscreen mode

You can see from the code above. when calling the permit! method on the params object. will set the @permitted of the params object to true

Before params is saved to the database, active_record will first check whether the parameters in params are approved by permit. The relevant source code is as follows:

def sanitize_for_mass_assignment(attributes)
  if attributes.respond_to?(:permitted?)
    raise ActiveModel::ForbiddenAttributesError if !attributes.permitted?
    attributes.to_h
  else
    attributes
  end
end
Enter fullscreen mode Exit fullscreen mode

The attributes passed to the sanitize_for_mass_assignment method are params objects. The method will first determine whether params exists in the permitted? method.

If the params object can respond to the permitted? method, the to_h method is called.

Hope it can help you :)

Top comments (0)