Rails 4 Nested Route with Strong Parameters

Question

I'm new to Rails and the recent switch to the Rails 4 strong parameters has confused me even more.

I'm trying to set up an account confirmation link for people to click.

I have the following route set up:

rake routes
Prefix Verb   URI Pattern                                     Controller#Action
       GET    /users/:id/confirm/:confirmation_code(.:format) users#confirm

In my UserController, I have a confirm action, which is being called (I tested via a simple redirect in that action),

and here are the rails 4 strong parameters:

private

def user_params
  params.require(:user).permit(:name, :email, :password,
                               :password_confirmation, :confirmation_code)
end

But I'm getting the following error when I try access /users/1/confirm/foobar

param not found: user

I can see why I'm getting the error, but I'm not sure how to fix it without undoing the security of the strong params by removing the require(:user). I'm not even 100% if my basic approach is right.

(I've just finished Michael Hartl's rails tutorial and the tutorial has the require(:user) in the User Controller and I'm not actually sure what the security implications are of removing it)

Answer 1

I think you don't need to call user_params because the request is just a GET request so it doesn't matter what params[:id] and params[:confirmation_code] are. you can simply use these parameters directly regardless if they are strong params or not.

Answer 2

The route you've shown makes a GET request, there will be no params[:user], only a params[:id] and params[:confirmation_code], as the defined by the route.

params[:user] would be set if you posted a form built with form_for(@user) back to a created/update action.

The problem is that you're somehow invoking the method user_params in an action that doesn't have any. The method itself is doing its job exactly as intended.