Rails 4: Testing strong parameters

July 9, 2013 Robbie Clutton

UPDATE: Thanks to fellow Pivots Alex Kwiatkowski and Rick Reilly, we found that inheriting from ActionController::Parameters didn’t work for update_attribtues. Alex explains some of the changes they made. In the mean time, check out my repo for the example, including a commit for the failing test and the fix.

Since Rails 4 has been released we’ve been getting involved and learning about what has changed. One of the changes most discussed is strong parameters and I wanted to explore some ideas about how to test this new feature. Strong parameters are a way of white listing HTTP query parameters and moves the burden of whitelisting from the ActiveModel/ActiveRecord classes and into the controllers. I think this feels like a better place for this to happen.

Most examples I’ve seen encourage the following:


class UsersController < ApplicationController

  def create
    User.create(user_params)
  end

  private
  def user_params
    params.require(:user).permit(:name)
  end
end

However I think this encourages asking the question of how defensive to test the strong parameters portion of this. Should you do the defensive code for each action or is one enough?


describe "#create" do
    it 'creates a user' do
      User.should_receive(:create).
        with({name: 'Sideshow Bob'}.with_indifferent_access)
      post :create, user:
        { first_name: 'Sideshow', last_name: 'Bob', name: 'Sideshow Bob' }
    end
end

There are a few ways to extract the parameterisation whilst making it testable but the one which feels most natural for Rails is to extend the ActionController::Parameters class where it can be tested independently of the controller actions.

My first attempt lead me one way but I eventually ended up extending the ActionController::Parameters, but as Alex pointed out this doesn’t work for update_attributes


class UsersController < ApplicationController

  class UserParams < ActionController::Parameters
    def initialize params
      filtered_params = params.
        require(:user).
        permit(:name)
      super(filtered_params)
    end
  end

  def create
    User.create(UserParams.new(params))
  end

end

I went back to a previous thought and made the params call a class method.


class UsersController < ApplicationController

  class UserParams
    def build params
      params.require(:user).permit(:name)
    end
  end

  def create
    User.create(UserParams.build(params))
  end

end

Now the strong parameter aspects can be tested independently


  describe UsersController::UserParams do
    it 'cleans the params' do
      params = ActionController::Parameters.new(
        user: {foo: 'bar', name: 'baz'})
      user_params = UsersController::UserParams.build(params)
      expect(user_params).to eq({name: 'baz'}.with_indifferent_access)
    end
  end

The controller can then choose it’s interaction with the UsersController::UserParams class through strong (which requires knowing the controller and action) or weak stubbing:


describe "#create" do
    let(:http_params) do
      { user:
        { first_name: 'Sideshow', last_name: 'Bob', name: 'Sideshow Bob' }}
    end

    let(:model_params) { double(:model_params) }

    before do
      UsersController::UserParams.stub(:build) { model_params }
    end

    it 'creates a user with strong stubbing' do
      UsersController::UserParams.stub(:build).
        with(
          http_params.merge(controller: 'users', action: 'create').
            with_indifferent_access) { model_params }
      User.should_receive(:create).with(model_params)
      post :create, http_params
    end

    it 'creates a user with weak stubbing' do
      User.should_receive(:create).with(model_params)
      post :create, http_params
    end
  end

This now allows the tests to focus on the business logic of the actions rather than worrying about the defensive coding of strong parameters and also gives the developer confidence that the strong parameters are adequately tested.

The evolution of this can be seen in this repository, with thanks to Bryan Helmkamp and Alex Kwiatkowski.

About the Author

Biography

More Content by Robbie Clutton
Previous
A Rubyist Learning Go – Types and Interfaces
A Rubyist Learning Go – Types and Interfaces

While looking at the websocket library for Go, I came across the following code: func EchoServer(ws *websoc...

Next
A Rough Guide to Data Science
A Rough Guide to Data Science

If Big Data was last year's buzzword, Data Science may reach the same level of hype this year. There's no s...

Enter curious. Exit smarter.

Register Now