Received: by 10.216.194.136 with SMTP id m8mr2267942wen.2.1351752368370;
        Wed, 31 Oct 2012 23:46:08 -0700 (PDT)
X-BeenThere: plataformatec-simpleform@googlegroups.com
Received: by 10.181.13.100 with SMTP id ex4ls281728wid.0.gmail; Wed, 31 Oct
 2012 23:46:07 -0700 (PDT)
Received: by 10.180.96.6 with SMTP id do6mr83500wib.1.1351752367825;
        Wed, 31 Oct 2012 23:46:07 -0700 (PDT)
Received: by 10.180.96.6 with SMTP id do6mr83498wib.1.1351752367801;
        Wed, 31 Oct 2012 23:46:07 -0700 (PDT)
Return-Path: <denis.pep...@gmail.com>
Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com [209.85.212.179])
        by gmr-mx.google.com with ESMTPS id cn9si1271wib.0.2012.10.31.23.46.07
        (version=TLSv1/SSLv3 cipher=OTHER);
        Wed, 31 Oct 2012 23:46:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of denis.pep...@gmail.com designates 209.85.212.179 as permitted sender) client-ip=209.85.212.179;
Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of denis.pep...@gmail.com designates 209.85.212.179 as permitted sender) smtp.mail=denis.pep...@gmail.com; dkim=pass header...@gmail.com
Received: by mail-wi0-f179.google.com with SMTP id hq7so56541wib.8
        for <plataformatec-simpleform@googlegroups.com>; Wed, 31 Oct 2012 23:46:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-type;
        bh=E5SYPTU8ZM1LCtRm5lEw2mhX2g4LolfhI+6sQCW7nlU=;
        b=NOJUnJxe19eaPdgW/fG8jL3uNEvE5EqhIBFAm5gCC2Jp6ma5tTl8RaUk4r4JcTXgFv
         fZq+pgqMkSx5RpCbcamxC/ucLzCtjmqCXQBbFN3W9j/mDPZuDtUaXpod3FFUVesrg7Ik
         kh7yDwjI13/63otMFG9fwB7khTO+cyMDliMlVMLh299m7ntzZEJ0uNAh9t2u6bxtkAk4
         A88NaB+ofvdzHeEoe+fMJRG+VszQKMQAf2+Kg80UPF5m3diQzF/Bsxx7seQnhGXfQvVb
         XHlTd0gNszXETUuAOOyAn611Cn4KgIBVgicOtfjwgMMhQuTrd5+HuPnwE1se3DagzZA/
         3kyw==
Received: by 10.180.90.78 with SMTP id bu14mr400666wib.21.1351752367566; Wed,
 31 Oct 2012 23:46:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.180.78 with HTTP; Wed, 31 Oct 2012 23:45:47 -0700 (PDT)
In-Reply-To: <CAGMFi-+A7shu=cividRy5czpOXEDbUFVR4akWsBpkcE_GdL...@mail.gmail.com>
References: <cdf24ae1-04b1-4bc6-90f6-e24baae3cb51@googlegroups.com> <CAGMFi-+A7shu=cividRy5czpOXEDbUFVR4akWsBpkcE_GdL...@mail.gmail.com>
From: Denis Peplin <denis.pep...@gmail.com>
Date: Thu, 1 Nov 2012 09:45:47 +0300
Message-ID: <CAPA4D7DZJzqbwr2DFVY_O6U+DfoLMMQy2gE=bsUHDYa2Tx9...@mail.gmail.com>
Subject: Re: Simple_form to handle strong_parameters
To: plataformatec-simpleform@googlegroups.com
Content-Type: multipart/alternative; boundary=f46d043c0938b16fab04cd695ff9

--f46d043c0938b16fab04cd695ff9
Content-Type: text/plain; charset=ISO-8859-1

I also thought about some wrapper, but for me it is too complex solution.
simple_form is wrapper by itself, and it does not looks very simple. I
agree, that mixing strong_parameters functionality with simple_form code is
not perfect idea. But what about more general functionality, maybe some
filter, that can be used in different ways, without mixing filtering logic
into view code?

It turns out, that it is easier to implement that filter by monkey patching
simple_form's FormBuilder:

https://gist.github.com/3992175

And in a view, I only have to change one line of code, instead of adding
conditions to each line:

<%= simple_form_for(@topic, :defaults => { :display_only =>
permitted_params.topic_attributes } ) do |f| %>

This gist can be released as gem, but only if there is no chances to
include filtering functionality into simple_form gem.

2012/10/28 Carlos Antonio da Silva <carlosantoniodasi...@gmail.com>

> I personally don't think this is SimpleForm's responsibility. It's up to
> the developer to show the correct fields that are going to be submitted to
> a particular controller that handles params with strong_parameters.
>
> In any case, I'm pretty sure it's possible to wrap SimpleForm's behavior
> in a new form builder that handles that for you. I can think of something
> that receives the "permitted_params" in the form_for call, and
> automatically skip attributes that are inside there. Keep in mind that it
> may be a bigger problem when you're talking about nested attributes and so
> on, but I think it's possible.
>
> On Thu, Oct 25, 2012 at 9:09 AM, Denis Peplin <denis.pep...@gmail.com>wrote:
>
>> Hello!
>>
>> I have watched Railscast about strong_parameters,
>> http://railscasts.com/episodes/371-strong-parameters (sorry, for
>> subscribers only), and implemented that solution.
>>
>> Author suggested to filter out forbidden attributes. And it is really
>> needed, because strong_parameters will not raise exception on attempt to
>> change forbidden attribute. Success message will be displayed to user, but
>> attribute will stay unchanged. It is expected behaviour (
>> https://github.com/rails/strong_parameters/issues/54#issuecomment-9771662
>> )
>>
>> So, that Railscast's code to filter out forbidden attribute is:
>>
>> <% if permitted_params.topic_attributes.include? :sticky %>
>> <div class="field">
>>   <%= f.check_box :sticky %>
>>   <%= f.label :sticky %>
>> </div>
>> <% end %>
>>
>> Using simple_form it can be written like this:
>>
>> <%= f.input :sticky, :as => :boolean if
>> permitted_params.topic_attributes.include?(:sticky) %>
>>
>> It's already too much I think. But it is only one attrbute. For five
>> attributes it will be five permitted_params.topic_attributes.include?()
>>
>> It probably can be shortened, but still there is a need to specify some
>> condition for each attribute to filter out forbidden ones.
>>
>> So maybe simple_form gem is the right place to auto-apply
>> strong_parameters permissions? Or there is another way to do it?
>>
>
>
>
> --
> At.
> Carlos Antonio
>

--f46d043c0938b16fab04cd695ff9
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

I also thought about some wrapper, but for me it is too complex solution. s=
imple_form is wrapper by itself, and it does not looks very simple. I agree=
, that mixing strong_parameters functionality with simple_form code is not =
perfect idea. But what about more general functionality, maybe some filter,=
 that can be used in different ways, without mixing filtering logic into vi=
ew code?<br>

<br>It turns out, that it is easier to implement that filter by monkey patc=
hing simple_form&#39;s FormBuilder:<br><br><a href=3D"https://gist.github.c=
om/3992175">https://gist.github.com/3992175</a><br><br>And in a view, I onl=
y have to change one line of code, instead of adding conditions to each lin=
e:<br>

<br>&lt;%=3D simple_form_for(@topic, :defaults =3D&gt; { :display_only =3D&=
gt; permitted_params.topic_attributes } ) do |f| %&gt;<br><br>This gist can=
 be released as gem, but only if there is no chances to include filtering f=
unctionality into simple_form gem.<br>

<br><div class=3D"gmail_quote">2012/10/28 Carlos Antonio da Silva <span dir=
=3D"ltr">&lt;<a href=3D"mailto:carlosantoniodasi...@gmail.com" target=3D"_b=
lank">carlosantoniodasi...@gmail.com</a>&gt;</span><br><blockquote class=3D=
"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding=
-left:1ex">

I personally don&#39;t think this is SimpleForm&#39;s responsibility. It&#3=
9;s up to the developer to show the correct fields that are going to be sub=
mitted to a particular controller that handles params with strong_parameter=
s.<div>



<br></div><div>In any case, I&#39;m pretty sure it&#39;s possible to wrap S=
impleForm&#39;s behavior in a new form builder that handles that for you. I=
 can think of something that receives the &quot;permitted_params&quot; in t=
he form_for call, and automatically skip attributes that are inside there. =
Keep in mind that it may be a bigger problem when you&#39;re talking about =
nested attributes and so on, but I think it&#39;s possible.</div>



<div><br><div class=3D"gmail_quote">On Thu, Oct 25, 2012 at 9:09 AM, Denis =
Peplin <span dir=3D"ltr">&lt;<a href=3D"mailto:denis.pep...@gmail.com" targ=
et=3D"_blank">denis.pep...@gmail.com</a>&gt;</span> wrote:<br><blockquote c=
lass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;=
padding-left:1ex">



Hello!<br><br>I have watched Railscast about strong_parameters, <a href=3D"=
http://railscasts.com/episodes/371-strong-parameters" target=3D"_blank">htt=
p://railscasts.com/episodes/371-strong-parameters</a> (sorry, for subscribe=
rs only), and implemented that solution.<br>



<br>Author suggested to filter out forbidden attributes. And it is really n=
eeded, because strong_parameters will not raise exception on attempt to cha=
nge forbidden attribute. Success message will be displayed to user, but att=
ribute will stay unchanged. It is expected behaviour (<a href=3D"https://gi=
thub.com/rails/strong_parameters/issues/54#issuecomment-9771662" target=3D"=
_blank">https://github.com/rails/strong_parameters/issues/54#issuecomment-9=
771662</a>)<br>



<br>So, that Railscast&#39;s code to filter out forbidden attribute is:<br>=
<br>&lt;% if permitted_params.topic_attributes.include? :sticky %&gt;<br>&l=
t;div class=3D&quot;field&quot;&gt;<br>=A0 &lt;%=3D f.check_box :sticky %&g=
t;<br>



=A0 &lt;%=3D f.label :sticky %&gt;<br>&lt;/div&gt;<br>&lt;% end %&gt;<br><b=
r>Using simple_form it can be written like this:<br><br>&lt;%=3D f.input :s=
ticky, :as =3D&gt; :boolean if permitted_params.topic_attributes.include?(:=
sticky) %&gt;<br>



<br>It&#39;s already too much I think. But it is only one attrbute. For fiv=
e attributes it will be five permitted_params.topic_attributes.include?()<b=
r><br>It probably can be shortened, but still there is a need to specify so=
me condition for each attribute to filter out forbidden ones.<br>



<br>So maybe simple_form gem is the right place to auto-apply strong_parame=
ters permissions? Or there is another way to do it?<span class=3D"HOEnZb"><=
font color=3D"#888888"><br></font></span></blockquote></div><span class=3D"=
HOEnZb"><font color=3D"#888888"><br>

<br clear=3D"all"><div><br></div>-- <br>At.<br>Carlos Antonio<br>
</font></span></div>
</blockquote></div><br>

--f46d043c0938b16fab04cd695ff9--