articles Different strong parameters on create and update

20 Jul 2020
#ruby #rails #strong parameter
Security For Rails Developers

Develop the right mindset for Rails security

Avoid shipping vulnerable code by learning how to prevent security issues in your Rails applications.

Get the course for $99
When using strong-parameters, sometimes you only want to enable a subset of the same parameters on create or edit. To achieve this, you can define 2 separate sets like this: 
...
def post_create_params
	params[:posts].permit(:category_id, :title, :body)
end

def post_update_params
	params[:posts].permit(:title, :body)
end
...
But there is a neater way to achieve the same by utilising ActionController::Parameters#except: 
...
def update
	@post.update(post_params.except(:category_id))
end

private
  def post_params
	params[:posts].permit(:category_id, :title, :body)
  end
...

Or follow me on Twitter

Related posts