Simple_form to handle strong_parameters

[Denis Peplin]

Hello!

I have watched Railscast about strong_parameters, http://railscasts.com/episodes/371-strong-parameters (sorry, for subscribers only), and implemented that solution.

Author suggested to filter out forbidden attributes. And it is really needed, because strong_parameters will not raise exception on attempt to change forbidden attribute. Success message will be displayed to user, but attribute will stay unchanged. It is expected behaviour (https://github.com/rails/strong_parameters/issues/54#issuecomment-9771662)

So, that Railscast's code to filter out forbidden attribute is:

<% if permitted_params.topic_attributes.include? :sticky %>
<div class="field">
  <%= f.check_box :sticky %>
  <%= f.label :sticky %>
</div>
<% end %>

Using simple_form it can be written like this:

<%= f.input :sticky, :as => :boolean if permitted_params.topic_attributes.include?(:sticky) %>

It's already too much I think. But it is only one attrbute. For five attributes it will be five permitted_params.topic_attributes.include?()

It probably can be shortened, but still there is a need to specify some condition for each attribute to filter out forbidden ones.

So maybe simple_form gem is the right place to auto-apply strong_parameters permissions? Or there is another way to do it?

[Carlos Antonio da Silva]

I personally don't think this is SimpleForm's responsibility. It's up to the developer to show the correct fields that are going to be submitted to a particular controller that handles params with strong_parameters.

In any case, I'm pretty sure it's possible to wrap SimpleForm's behavior in a new form builder that handles that for you. I can think of something that receives the "permitted_params" in the form_for call, and automatically skip attributes that are inside there. Keep in mind that it may be a bigger problem when you're talking about nested attributes and so on, but I think it's possible.

--
At.
Carlos Antonio

[Denis Peplin]

I also thought about some wrapper, but for me it is too complex solution. simple_form is wrapper by itself, and it does not looks very simple. I agree, that mixing strong_parameters functionality with simple_form code is not perfect idea. But what about more general functionality, maybe some filter, that can be used in different ways, without mixing filtering logic into view code?

It turns out, that it is easier to implement that filter by monkey patching simple_form's FormBuilder:

https://gist.github.com/3992175

And in a view, I only have to change one line of code, instead of adding conditions to each line:

<%= simple_form_for(@topic, :defaults => { :display_only => permitted_params.topic_attributes } ) do |f| %>

This gist can be released as gem, but only if there is no chances to include filtering functionality into simple_form gem.

2012/10/28 Carlos Antonio da Silva <carlosanto...@gmail.com>

[Carlos Antonio da Silva]

I added a comment to your gist with a StrongParametersFormBuilder example, that would extend SimpleForm functionality with your "display_only" option, allowing you to achieve exactly your example here.

I don't think this is going to be part of SimpleForm any time soon, in my mind, if the developer doesn't need an attribute, he shouldn't call f.input with it. If he wants to generalize form at that point, to reuse the same form with different pages and different "parameters" configuration, then it's up to him to handle it with a builder extension like that, or ifs. In the majority of the use cases I've seen, it has been better to just split the form templates.

Thanks!

--
At.
Carlos Antonio

[Denis Peplin]

2012/11/1 Carlos Antonio da Silva <carlosanto...@gmail.com>

I added a comment to your gist with a StrongParametersFormBuilder example, that would extend SimpleForm functionality with your "display_only" option, allowing you to achieve exactly your example here.

Looks great, but can't get it working. options[:display_only] is seems unavailable inside new form builder. I established new Rails application to test this, please look:

https://github.com/denispeplin/display_filter_demo
 

I don't think this is going to be part of SimpleForm any time soon, in my mind, if the developer doesn't need an attribute, he shouldn't call f.input with it. If he wants to generalize form at that point, to reuse the same form with different pages and different "parameters" configuration, then it's up to him to handle it with a builder extension like that, or ifs. In the majority of the use cases I've seen, it has been better to just split the form templates.

I have some filtering in my views too, but not a lot. I think, it will take some time to gain experience with stuff like strong_parameters, and to decide, is display_filter really needed or it will only complicate things.
 

[Carlos Antonio da Silva]

Yeah, it was something quick and dirty, totally untested :D. Will take a look at your app.

--
At.
Carlos Antonio

[Carlos Antonio da Silva]

Added new comment to the gist, with a hopefully working version: https://gist.github.com/3992175#gistcomment-592347

Cheers.

--
At.
Carlos Antonio

[Denis Peplin]

Now in works. I changed code a little bit to actually display 'display_only' attributes, not filter it out, added comment to gist and updated display_filter_demo repository.

Thanks!

2012/11/2 Carlos Antonio da Silva <carlosanto...@gmail.com>

[Carlos Antonio da Silva]

Awesome.. Perhaps you'd like to add an entry to our wiki with the final working example, so that others could benefit? Thanks!

--
At.
Carlos Antonio

[Denis Peplin]

Done: https://github.com/plataformatec/simple_form/wiki/Attributes-filter

2012/11/9 Carlos Antonio da Silva <carlosanto...@gmail.com>

[Carlos Antonio da Silva]

Awesome, thanks!

--
At.
Carlos Antonio

[Denis Peplin]

Thank you for code!

Please fix article if something wrong.

2012/11/12 Carlos Antonio da Silva <carlosanto...@gmail.com>