I’m sitting here at PHP South Coast, surrounded by PHP developers and I’m writing some Ruby. I’ve come up with a nice little gem to avoid the extra work involved in listing permitted attributes when creating new objects from a Rails form. You know what I’m talking about…
class UsersController < ApplicationController
def create
User.create(params.require(:user).permit(:first_name, :last_name, :email_address, :password, :password_confirmation))
end
end
This is great but we just wrote that list of attributes in the form which submitted to this action so why do it call again? Isn’t this easier?
User.create(params.require*:user).auto_permit('User'))
Why yes! Yes it is. auto_permit will automatically permit all the fields which had been included in the form which was submitted to the action.
I call this gem param-auto-permit and it’s on GitHub. Do check it out and have a read of the README file for install instructions.
So, how does it work?
Whenever you build a form using the Rails form builder options (e.g using form_for), the gem maintains a list of included fields based on their labels. For example, when you insert a label tag, the gem adds the attribute name to a list.
When the form is finished, we take the list of attributes generated while building your form and turn them into a signed & encrypted string. This is secured using the same technique as used to store sessions in cookies in Rails. This string is when included as a hidden field and submitted with the form.
When this arrives back at the server, the string is decoded and turned back into an array of attributes which should be permitted.