how to permit an array with strong parameters

Question

I have a functioning Rails 3 app that uses has_many :through associations which is not, as I remake it as a Rails 4 app, letting me save ids from the associated model in the Rails 4 version.

These are the three relevant models are the same for the two versions.

Categorization.rb

class Categorization < ActiveRecord::Base

  belongs_to :question
  belongs_to :category
end

Question.rb

has_many :categorizations
has_many :categories, through: :categorizations

Category.rb

has_many :categorizations
has_many :questions, through: :categorizations

In both apps, the category ids are getting passed into the create action like this

  "question"=>{"question_content"=>"How do you spell car?", "question_details"=>"blah ", "category_ids"=>["", "2"],

In the Rails 3 app, when I create a new question, it inserts into questions table and then into the categorizations table

 SQL (82.1ms)  INSERT INTO "questions" ("accepted_answer_id", "city", "created_at", "details", "province", "province_id", "question", "updated_at", "user_id") VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)  [["accepted_answer_id", nil], ["city", "dd"], ["created_at", Tue, 14 May 2013 17:10:25 UTC +00:00], ["details", "greyound?"], ["province", nil], ["province_id", 2], ["question", "Whos' the biggest dog in the world"], ["updated_at", Tue, 14 May 2013 17:10:25 UTC +00:00], ["user_id", 53]]
  SQL (0.4ms)  INSERT INTO "categorizations" ("category_id", "created_at", "question_id", "updated_at") VALUES (?, ?, ?, ?)  [["category_id", 2], ["created_at", Tue, 14 May 2013 17:10:25 UTC +00:00], ["question_id", 66], ["updated_at", Tue, 14 May 2013 17:10:25 UTC +00:00]]

In the rails 4 app, after it processes the parameters in QuestionController#create, I'm getting this error in the server logs

Unpermitted parameters: category_ids

and the question is only getting inserted into the questions table

 (0.2ms)  BEGIN
  SQL (67.6ms)  INSERT INTO "questions" ("city", "created_at", "province_id", "question_content", "question_details", "updated_at", "user_id") VALUES ($1, $2, $3, $4, $5, $6, $7) RETURNING "id"  [["city", "dd"], ["created_at", Tue, 14 May 2013 17:17:53 UTC +00:00], ["province_id", 3], ["question_content", "How's your car?"], ["question_details", "is it runnign"], ["updated_at", Tue, 14 May 2013 17:17:53 UTC +00:00], ["user_id", 12]]
   (31.9ms)  COMMIT

Although I am not storing the category_ids on the Questions model, I set category_ids as a permitted parameter in the questions_controller

   def question_params

      params.require(:question).permit(:question_details, :question_content, :user_id, :accepted_answer_id, :province_id, :city, :category_ids)
    end

Can anyone explain how I'm supposed to save the category_ids? Note, there is no create action in the categories_controller.rb of either app.

These are the three tables that are the same in both apps

 create_table "questions", force: true do |t|
    t.text     "question_details"
    t.string   "question_content"
    t.integer  "user_id"
    t.integer  "accepted_answer_id"
    t.datetime "created_at"
    t.datetime "updated_at"
    t.integer  "province_id"
    t.string   "city"
  end

 create_table "categories", force: true do |t|
    t.string   "name"
    t.datetime "created_at"
    t.datetime "updated_at"
  end

  create_table "categorizations", force: true do |t|
    t.integer  "category_id"
    t.integer  "question_id"
    t.datetime "created_at"
    t.datetime "updated_at"
  end

Update

This is the create action from the Rails 3 app

  def create
      @question = Question.new(params[:question])
      respond_to do |format|
      if @question.save
        format.html { redirect_to @question, notice: 'Question was successfully created.' }
        format.json { render json: @question, status: :created, location: @question }
      else
        format.html { render action: "new" }
        format.json { render json: @question.errors, status: :unprocessable_entity }
      end
    end
end

This is the create action from the Rails 4 app

   def create
      @question = Question.new(question_params)

       respond_to do |format|
      if @question.save
        format.html { redirect_to @question, notice: 'Question was successfully created.' }
        format.json { render json: @question, status: :created, location: @question }
      else
        format.html { render action: "new" }
        format.json { render json: @question.errors, status: :unprocessable_entity }
      end
    end
    end

This is the question_params method

 private
    def question_params 
      params.require(:question).permit(:question_details, :question_content, :user_id, :accepted_answer_id, :province_id, :city, :category_ids)
    end

What does the create action look like in both apps? – bennick May 14 '13 at 19:00 — bennick, May 14 '13 at 19:00
@bennick I added the two create actions. Thanks – Leahcim May 14 '13 at 20:27 — Leahcim, May 14 '13 at 20:27

score 604 · Accepted Answer · edited Nov 24 '19 at 19:38

604

This https://github.com/rails/strong_parameters seems like the relevant section of the docs:

The permitted scalar types are String, Symbol, NilClass, Numeric, TrueClass, FalseClass, Date, Time, DateTime, StringIO, IO, ActionDispatch::Http::UploadedFile and Rack::Test::UploadedFile.

To declare that the value in params must be an array of permitted scalar values map the key to an empty array:
params.permit(:id => [])

In my app, the category_ids are passed to the create action in an array

"category_ids"=>["", "2"],

Therefore, when declaring strong parameters, I explicitly set category_ids to be an array

params.require(:question).permit(:question_details, :question_content, :user_id, :accepted_answer_id, :province_id, :city, :category_ids => [])

Works perfectly now!

(IMPORTANT: As @Lenart notes in the comments, the array declarations must be at the end of the attributes list, otherwise you'll get a syntax error.)

edited Nov 24 '19 at 19:38

Yarin

173,523
149
402
512

answered May 15 '13 at 02:48

Leahcim

40,649
59
195
334

112

I've also noticed that declarations for arrays should be at the end of the attributes list. Otherwise I get a syntax error `syntax error, unexpected ')', expecting =>` – Lenart Oct 13 '13 at 08:35
52

The reason array declarations (nested params) are at the end is that ActionController::Parameters.permit expects each argument to be a Hash or a Symbol. Ruby magic will turn all key value pairs s at the _end_ of a method call into one hash, but Ruby won't know what to do if you mix symbols with key/value pairs in your method call. – sameers Nov 20 '13 at 00:05
How can I do this as a *separate* param for category_ids – quantumpotato Mar 18 '14 at 16:04
7

if ```category_ids``` is not an array (e.g. a string was sent) then rails totally goes nuts and raises a ```ERROR TypeError: expected Array (got String) for param `category_ids'``` Is that a bug in rails? Edit: yes it is: https://github.com/rails/rails/issues/11502 – Dominik Goltermann Apr 15 '14 at 14:15
This only worked for me when I put it at the end of the list of approved params. – Dan Laffan Dec 21 '14 at 15:58
4

@Lenart Thanks, I thought I was going crazy. This should at least appear in the strong_params README – Sebastialonso Feb 20 '15 at 22:20
1

In case someone needs to have array of string in the strong params all you have to do is include [postgres_ext](https://github.com/dockyard/postgres_ext) and the add in the list of params to permit `:some_array_column => []` – poorva Sep 05 '15 at 07:49
Hehe, I also wondered why it is not allowing my Array column which has already set in permit. I found the solution going through the rails code. Its restricts through defining 'scalar types' – Abhi Sep 18 '15 at 12:19
5

@Lenart you can add it as hash if you want to avoid syntax error. `params.permit(:foo, { bar: [] }, :zoo)`. – Foo Bar Zoo Mar 13 '18 at 20:28
This answer should be updated with sameer's comment. The array doesn't have to be last, it just needs to be passed inside curly braces so Ruby knows it's a single argument - https://github.com/rails/strong_parameters#nested-parameters – Matthew Mar 08 '21 at 08:40
What an utterly terrible design. Why on earth do the hash values need to be sorted by value type. "magic" – duhaime Mar 03 '22 at 21:42

score 115 · Answer 2 · answered May 17 '15 at 09:53

115

If you want to permit an array of hashes(or an array of objects from the perspective of JSON)

params.permit(:foo, array: [:key1, :key2])

2 points to notice here:

array should be the last argument of the permit method.
you should specify keys of the hash in the array, otherwise you will get an error Unpermitted parameter: array, which is very difficult to debug in this case.

answered May 17 '15 at 09:53

Brian

30,156
15
86
87

and arrays of arrays are not supported (yet): https://github.com/rails/rails/issues/23640 – Andrei Dziahel Apr 07 '17 at 16:10
15

`array` does not need to be at the end, but you need to make sure you have valid Ruby. `params.permit(:foo, array: [:key1, :key2], :bar)` would not be valid ruby as the interpreter expects hash key:value pairs after the first set. To have valid Ruby you need `params.permit(:foo, {array: [:key1, :key2]}, :bar)` – mastaBlasta Sep 25 '17 at 21:29
You are a Champ! – Lollypop Oct 24 '17 at 18:49
This answer should be edited with mastBlasta's comment (I tried but the suggested edit queue is full) – Matthew Mar 08 '21 at 08:37

Matias Seguel · Answer 3 · 2023-08-24T15:52:24.647

28

The array should be the last argument of the permit method.

params.permit(:id => [])

Also since Ruby 1.9 or newer, you can use:

params.permit(id: [])

edited Aug 24 '23 at 15:52

answered Jul 06 '17 at 14:47

Matias Seguel

788
11
17

14

please not that the array should be the last argument of the permit method – Matias Elorriaga Feb 07 '18 at 16:59
4

That hash syntax that you said apply for Rails v4+ is actually a syntax available in Ruby 1.9 & newer, not the Rails framework (although Rails 4 requires Ruby 1.9.3 or newer) – MegaTux May 28 '19 at 17:39
That's not correct @MatiasElorriaga... see mastaBlasta's comment on Brian's answer, or https://github.com/rails/strong_parameters#nested-parameters – Matthew Mar 08 '21 at 08:38
this saved me in a situation like this , thanks a lot. game_results: [:score, :date ,fouls: [],players: [],subs: []] – timjini Aug 03 '23 at 20:10

score 21 · Answer 4 · answered May 03 '17 at 15:49

21

If you have a hash structure like this:

Parameters: {"link"=>{"title"=>"Something", "time_span"=>[{"start"=>"2017-05-06T16:00:00.000Z", "end"=>"2017-05-06T17:00:00.000Z"}]}}

Then this is how I got it to work:

params.require(:link).permit(:title, time_span: [[:start, :end]])

answered May 03 '17 at 15:49

Fellow Stranger

32,129
35
168
232

2

took me way to long to find this – coorasse Jun 18 '21 at 14:21

score 11 · Answer 5 · answered Feb 17 '21 at 08:19

11

when you want to permit multiple array fields you will have to list array fields at last while permitting ,as given -

params.require(:questions).permit(:question, :user_id, answers: [], selected_answer: [] )

(this works)

answered Feb 17 '21 at 08:19

Dev Bhatt

111
1
2

score 9 · Answer 6 · answered Oct 12 '18 at 16:19

I can't comment yet but following on Fellow Stranger solution you can also keep nesting in case you have keys which values are an array. Like this:

filters: [{ name: 'test name', values: ['test value 1', 'test value 2'] }]

This works:

params.require(:model).permit(filters: [[:name, values: []]])

how to permit an array with strong parameters

6 Answers6

Linked

Related