Refactoring (Rails 5)

© 2012 - 2017 thoughtbot, inc. Upcase, the design of a robot, and thoughtbot are registered trademarks of thoughtbot, inc.

This is a companion discussion topic for the original entry at

The use of permit! is super dangerous. I’m astonished to see it suggested in a beginner’s course. There’s open for extension, then there’s open to gettting totally owned by malicious third parties. Polymorphic controllers don’t get a pass on using strong parameters safely. It’s never the case that all user-supplied params are acceptable. Most obviously, the model timestamps and any association IDs.

Either use a consistent content field name, or have some way to inject it into the controller in a manner that doesn’t trust the params - as you did with the content object class.