Do I need to use strong params if action doesn't affect models? The Next CEO of Stack Overflowassociation in rails 3 associate 1 survey to 1 userStrong Params and MassAssignmentSecurity ErrorsHow can I get this unit test on mass-assignment to fail? (railstutorial.org Exercise 9.6.1)rspec testing strong params and building a modelStrong params and action mailer issuesStruggling with strong param conflictStrong Params in Rails modelBinding custom params to strong paramsTypeahead.js to search through Users with Ruby on Railsstrong params issue with attr_accessor
Why doesn't a table tennis ball float on the surface? How do we calculate buoyancy here?
Inappropriate reference requests from Journal reviewers
Grabbing quick drinks
How to be diplomatic in refusing to write code that breaches the privacy of our users
Increase performance creating Mandelbrot set in python
Should I tutor a student who I know has cheated on their homework?
Only print output after finding pattern
How do spells that require an ability check vs. the caster's spell save DC work?
If the heap is initialized for security, then why is the stack uninitialized?
Term for the "extreme-extension" version of a straw man fallacy?
Which organization defines CJK Unified Ideographs?
% symbol leads to superlong (forever?) compilations
Implement the Thanos sorting algorithm
How to safely derail a train during transit?
Why did we only see the N-1 starfighters in one film?
Was a professor correct to chastise me for writing "Prof. X" rather than "Professor X"?
Too much space between section and text in a twocolumn document
Natural language into sentence logic
What's the point of interval inversion?
How do I solve this limit?
Why do remote companies require working in the US?
Is HostGator storing my password in plaintext?
Where to find order of arguments for default functions
Unreliable Magic - Is it worth it?
Do I need to use strong params if action doesn't affect models?
The Next CEO of Stack Overflowassociation in rails 3 associate 1 survey to 1 userStrong Params and MassAssignmentSecurity ErrorsHow can I get this unit test on mass-assignment to fail? (railstutorial.org Exercise 9.6.1)rspec testing strong params and building a modelStrong params and action mailer issuesStruggling with strong param conflictStrong Params in Rails modelBinding custom params to strong paramsTypeahead.js to search through Users with Ruby on Railsstrong params issue with attr_accessor
I'm 80% sure the answer is "no", but I need affirmation.
Case scenario
For controller looking like this:
class CatController < ApplicationController
def search_cats
render json: HTTPClient.new.get('https://api.example.com', search_cats_params)
end
private
def search_cats_params
params.permit(:breed, :ownership, :vaccination, foo: [ :bar, :baz ])
end
end
Would it be safe to just pass the params forward like this?
class CatController < ApplicationController
def search_cats
render json: HTTPClient.new.get('https://api.example.com', params.to_h)
end
end
Wouldn't user be able to flood server with enormous query, for example?
Documentation only says strong params exist to protect models from malicious mass assignment.
https://edgeapi.rubyonrails.org/classes/ActionController/StrongParameters.html
ruby-on-rails
asked Mar 7 at 14:04
Steve RedkaSteve Redka
34
add a comment |
I'm 80% sure the answer is "no", but I need affirmation.
Case scenario
For controller looking like this:
class CatController < ApplicationController
def search_cats
render json: HTTPClient.new.get('https://api.example.com', search_cats_params)
end
private
def search_cats_params
params.permit(:breed, :ownership, :vaccination, foo: [ :bar, :baz ])
end
end
Would it be safe to just pass the params forward like this?
class CatController < ApplicationController
def search_cats
render json: HTTPClient.new.get('https://api.example.com', params.to_h)
end
end
Wouldn't user be able to flood server with enormous query, for example?
Documentation only says strong params exist to protect models from malicious mass assignment.
https://edgeapi.rubyonrails.org/classes/ActionController/StrongParameters.html
ruby-on-rails
asked Mar 7 at 14:04
Steve RedkaSteve Redka
34
1
IMO it would still be best to limit what is sent to a third party API, especially if you pay to use the API or the API has any kind of acceptable use policy. Passing params straight through could result in you being banned from the API because you have 1 malicious user that ruins it for you and everyone else.
– engineersmnky
Mar 7 at 14:34
internet is scary place i always prefer to use strong params in my controllers.
– user3775217
Mar 8 at 10:16
add a comment |
I'm 80% sure the answer is "no", but I need affirmation.
Case scenario
For controller looking like this:
class CatController < ApplicationController
def search_cats
render json: HTTPClient.new.get('https://api.example.com', search_cats_params)
end
private
def search_cats_params
params.permit(:breed, :ownership, :vaccination, foo: [ :bar, :baz ])
end
end
Would it be safe to just pass the params forward like this?
class CatController < ApplicationController
def search_cats
render json: HTTPClient.new.get('https://api.example.com', params.to_h)
end
end
Wouldn't user be able to flood server with enormous query, for example?
Documentation only says strong params exist to protect models from malicious mass assignment.
https://edgeapi.rubyonrails.org/classes/ActionController/StrongParameters.html
ruby-on-rails
asked Mar 7 at 14:04
Steve RedkaSteve Redka
34
I'm 80% sure the answer is "no", but I need affirmation.
Case scenario
For controller looking like this:
class CatController < ApplicationController
def search_cats
render json: HTTPClient.new.get('https://api.example.com', search_cats_params)
end
private
def search_cats_params
params.permit(:breed, :ownership, :vaccination, foo: [ :bar, :baz ])
end
end
Would it be safe to just pass the params forward like this?
class CatController < ApplicationController
def search_cats
render json: HTTPClient.new.get('https://api.example.com', params.to_h)
end
end
Wouldn't user be able to flood server with enormous query, for example?
Documentation only says strong params exist to protect models from malicious mass assignment.
https://edgeapi.rubyonrails.org/classes/ActionController/StrongParameters.html
ruby-on-rails
ruby-on-rails
asked Mar 7 at 14:04
Steve RedkaSteve Redka
34
asked Mar 7 at 14:04
Steve RedkaSteve Redka
34
asked Mar 7 at 14:04
Steve RedkaSteve Redka
34
asked Mar 7 at 14:04
Steve RedkaSteve Redka
34
asked Mar 7 at 14:04
Steve RedkaSteve Redka
34
34
1
IMO it would still be best to limit what is sent to a third party API, especially if you pay to use the API or the API has any kind of acceptable use policy. Passing params straight through could result in you being banned from the API because you have 1 malicious user that ruins it for you and everyone else.
– engineersmnky
Mar 7 at 14:34
internet is scary place i always prefer to use strong params in my controllers.
– user3775217
Mar 8 at 10:16
add a comment |
1
IMO it would still be best to limit what is sent to a third party API, especially if you pay to use the API or the API has any kind of acceptable use policy. Passing params straight through could result in you being banned from the API because you have 1 malicious user that ruins it for you and everyone else.
– engineersmnky
Mar 7 at 14:34
internet is scary place i always prefer to use strong params in my controllers.
– user3775217
Mar 8 at 10:16
1
1
IMO it would still be best to limit what is sent to a third party API, especially if you pay to use the API or the API has any kind of acceptable use policy. Passing params straight through could result in you being banned from the API because you have 1 malicious user that ruins it for you and everyone else.
– engineersmnky
Mar 7 at 14:34
IMO it would still be best to limit what is sent to a third party API, especially if you pay to use the API or the API has any kind of acceptable use policy. Passing params straight through could result in you being banned from the API because you have 1 malicious user that ruins it for you and everyone else.
– engineersmnky
Mar 7 at 14:34
internet is scary place i always prefer to use strong params in my controllers.
– user3775217
Mar 8 at 10:16
internet is scary place i always prefer to use strong params in my controllers.
– user3775217
Mar 8 at 10:16
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55045686%2fdo-i-need-to-use-strong-params-if-action-doesnt-affect-models%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55045686%2fdo-i-need-to-use-strong-params-if-action-doesnt-affect-models%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
IMO it would still be best to limit what is sent to a third party API, especially if you pay to use the API or the API has any kind of acceptable use policy. Passing params straight through could result in you being banned from the API because you have 1 malicious user that ruins it for you and everyone else.
– engineersmnky
Mar 7 at 14:34
internet is scary place i always prefer to use strong params in my controllers.
– user3775217
Mar 8 at 10:16