@user after create is called with params containing { user: { name: 'Alice', admin: true } }?class UsersController < ApplicationController def create @user = User.new(user_params) end private def user_params params.require(:user).permit(:name) end end
permit.The user_params method only permits the :name attribute. The admin attribute is filtered out, so it will not be set on @user. It will be nil or default value.
post with nested comments attributes in your controller. Which post_params method is correct?When permitting nested attributes for associated models, Rails expects the key to be comments_attributes (with _attributes suffix) if using accepts_nested_attributes_for. Option B uses this correct key and permits an array of attributes.
update fail to update the article attributes?def update @article = Article.find(params[:id]) @article.update(article_params) end def article_params params.permit(:title, :body) end
Rails expects nested parameters under a key like :article. Without require(:article), permit is called on the top-level params, which lacks the expected keys :title and :body. The permitted params will be empty, so update changes nothing.
params[:user] after this strong parameters call?params[:user] contain after user_params is called?def user_params params.require(:user).permit(:name, :email) end # Assume params = { user: { name: 'Bob', email: 'bob@example.com', admin: true } }
The permit method returns a new filtered parameters object but does not change the original params hash. So params[:user] remains unchanged.
Strong parameters are designed to protect applications from mass assignment vulnerabilities by requiring developers to whitelist which attributes can be set through forms or API calls.