Rails 4 - Switching from protected attributes to strong parameters

StackOverflow https://stackoverflow.com/questions/22747515

Question

I followed the rails cast tutorial for user authentication/registration/login which apparently has an outdated method of using the gem protected attributes. I found that it's necessary to switch to strong parameters and did so by following this method.

I had to delete the attr_accessible code from my user.rb model (commented out below) and was wondering if there's anything else I should do instead of just defining user params within the controller. Should there be attr_accessors for the user's fields (email, password, location) now that I don't have the attr_accessible or is this unnecessary? I'm new to rails and do not fully understand the proper necessities for user authentication.

user.rb

class User < ActiveRecord::Base
  #attr_accessible :email, :password, :password_confirmation, :location

  attr_accessor :password, :location
  before_save :encrypt_password

  validates_confirmation_of :password
  validates_presence_of :password, :on => :create
  validates_presence_of :email
  validates_uniqueness_of :email

  def self.authenticate(email, password)
    user = find_by_email(email)
    if user && user.password_hash == BCrypt::Engine.hash_secret(password, user.password_salt)
      user
    else
      nil
    end
  end

  def encrypt_password
    if password.present?
      self.password_salt = BCrypt::Engine.generate_salt
      self.password_hash = BCrypt::Engine.hash_secret(password, password_salt)
    end
  end
end

user_controller.rb

class UsersController < ApplicationController
  def new
    @user = User.new
  end

  def create
  @user = User.new(user_params)
  if @user.save
    redirect_to root_url, :notice => "Signed up!"
  else
    render "new"
  end
  end

  #add thing from https://stackoverflow.com/a/19130224/2739431
  private
    def user_params
      params.require(:user).permit(:email, :password, :password_confirmation, :location)
    end

end
Was it helpful?

Solution

The answer is relatively simple.

Remember that statement when you first started learning Ruby: "In Ruby, everything is an object". Objects have methods, and to access an objects property you need an accessor method.

The attr_accessor is a Ruby method that generates accessor methods for a given instance variable (check attr_reader and attr_writer).
So your question actually is whether you need to access those properties, outside the Model.

And I think this answeres your question.

Important note: attr_accessible is not a Ruby method. It's a Rails method that allows you to pass in values to Models for a mass assignment: new(attrs) or update_attributes(attrs).

OTHER TIPS

Should there be attr_accessors for the user's fields (email, password, location) now that I don't have the attr_accessible or is this unnecessary?

It's unnecessary. ActiveRecord automatically creates writers and readers for model fields – that's why you can use methods like user.email and user.email = outside of User class.

attr_accessor :password, :location – I guess these are database fields, right? You can remove this line, too.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top