Sign in through GitHub

Please read for an updated status on RailsCasts:

Learn more or hide this

Justin Reid's Profile

GitHub User: reidreid46

Site: www.justinreid.com

Comments by Justin Reid

Avatar

Makes more sense after reading this:
http://rubysource.com/rails-4-quick-look-strong-parameters/

Some of repetition that I fear when I see code like this:


def book_params
if current_user && current_user.admin?
params[:book].permit(:name, :author, :public)
else
params[:book].permit(:name, :author)
end
end

Can be reduced be creating constant (named by role?) within the class:

def book_params
if current_user && current_user.admin?
params[:book].permit(User.attrbutes_assignable_by_admin)
else
params[:book].permit(User.attrbutes_assignable_by_non_admin)
end
end
`

And though I understand that this a better placement of state logic, still seems a bit cumbersome.

The whitelist lets me say all the attributes that are permitted unless a specific role was in use. It isn't often, but when it is, it's explicit. This forces me to specify the user role every place I'm acting on an attribute via a controller. And with the increase in times I have to remember to do something the more times I'm likely to miss something an create a security hole.

Again, I'm happy to be enlightened.

Avatar

You make the changes in big releases easy to understand, thanks!

What I don't quite understand is the move of protected attributes from the model to the controller:

  • Doesn't that assume you're only going to be using one controller to update a give type of model, else you'll have to repeat your code (like in an admin controller)?
  • Wouldn't this change make controllers fatter and models skinnier (the opposite direction we push for)?

There's probably something I'm missing, so if someone could enlighten me then I'd be grateful.

Avatar

I just ran into the same problem, using Redcarpet 2 on a Rails 3.1.3 app. Took me a little bit to figure out what was going on, but I updated the helper method to be:

ruby
def markdown(text)
  markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML,
          :autolink => true, :space_after_headers => true)
  return markdown.render(text)
end

So, in your view you would have:

ruby
<%= raw markdown(@policies.introduction) %>

I've instantiate a Redcarpet object and call its 'render" method both inside the 'markdown' helper method. That value will be return to the view, but since it will be escaped you'll need to pass it through the 'raw' method so that it comes out as actual html.

Avatar

In case it helps anyone else, I believe the the favored way of doing this in Rails 3+ is with the method "accepts_nested_attributes_for".

http://api.rubyonrails.org/classes/ActionView/Helpers/FormHelper.html