I decided to take a different approach to mass assigning for security reasons and

Question

0

Asked: June 6, 20262026-06-06T12:30:45+00:00 2026-06-06T12:30:45+00:00

I decided to take a different approach to mass assigning for security reasons and

0

I decided to take a different approach to mass assigning for security reasons and wanted to know if this is a safe way to do it inside of the controller?

QuestionsController

def new
  @survey = Survey.find(params[:survey_id])
  @question = Question.new
end

def create
  @survey = Survey.find(params[:survey_id])
  @question = @survey.questions.new
  @question.title = params[:question][:title]
  @question.description = params[:question][:description]


  if @question.save
    redirect_to new_survey_question_path
  else
    render :new
  end
end

Can they change the survey_id or any other column of the question? Is their a better approach besides using attr_accessible?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-06T12:30:46+00:00

Editorial Team

2026-06-06T12:30:46+00:00Added an answer on June 6, 2026 at 12:30 pm

Ok, you could do something like..

enabled_attributes = [:title, :description]
params[:question].delete_if {|k, v| !enabled_attributes.include?(k) }
@question = @survey.questions.new(params[:question])

This deletes from the params[:question] hash all the attributes that aren’t in the enabled array.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I decided to take a different approach to mass assigning for security reasons and

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply